Skip to Main Content
Frequently Asked Questions
Submit an ETD
Global Search Box
Need Help?
Keyword Search
Participating Institutions
Advanced Search
School Logo
Files
File List
garcia dissertation FINAL.pdf (7.31 MB)
ETD Abstract Container
Abstract Header
The Economics of Data Breach: Asymmetric Information and Policy Interventions
Author Info
Garcia, Michael Erik
Permalink:
http://rave.ohiolink.edu/etdc/view?acc_num=osu1365784884
Abstract Details
Year and Degree
2013, Doctor of Philosophy, Ohio State University, Agricultural, Environmental and Developmental Economics.
Abstract
Large public and private costs result from attacks on firms’ information technology networks. Successful attacks result in data breaches with private damages from business interruption, reputation, and investigation forensics. Social losses result from exposing individuals’ personal information, leading to state, national, and international policymakers enacting legislation to manage these costs. Inadequate economic modeling exists to analyze this phenomenon, despite the large economic impact of cyberspace, e-commerce, and social networking. This research advances information security economics by deviating from a firm-level model to focus on the social welfare implications of firm and regulator decisions. I comprehensively review the economic and policy environment and develop the first rigorous economic model of regulatory approaches to data breach. I develop a one-period model of information security and analyze the efficacy of regulatory interventions in the face of asymmetric information. The model builds upon existing models of firm and firm-consumer information security investment and draws analogy between information security and managing asymmetric information in the biosecurity and livestock disease literature. I analyze firm and social planner incentives in a non-regulatory environment and three regulatory environments. Without regulation, the firm underinvests in network and data protection relative to the social optimum. In the first regime, the regulator must expend a fixed cost to observe social losses and overcome the firm’s moral hazard. The interaction between network and data protection permits the regulator to induce optimal behavior in two investment decisions with a single regulatory instrument. With sufficiently low regulatory costs, this result is socially preferred. In the second regulatory regime, the regulator must expend the same fixed cost for imperfect observation of social losses and administer a program requiring that the firm report breaches. The regulator can induce reporting with a sufficiently large fine for non-reporting, even with imperfect breach monitoring. In this regime, a disclosure investigation cost distorts the firm’s investment incentives in a manner inconsistent with social objectives, resulting in increased network protection at the expense of data protection. With a sufficiently high disclosure investigation cost, the firm will invest less in data protection than it would in lieu of regulation. The final regime introduces a data protection technology that mitigates social loss and some private damages. The regulator expends the same fixed cost for imperfect observation of social losses and requires disclosure only if the firm does not invest in the safe harbor technology. Except when very costly, this safe harbor technology allows the regulator to induce optimal investment and lower the firm’s regulatory burden. The safe harbor technology results in welfare gains except when the technology is very costly, at which point the firm may exit, or the safe harbor regime defaults to the distorted incentives of the disclosure policy. This research advances economic modeling in the relatively undeveloped field of information security economics. As policy aspects of information security become more developed, policymakers will require better tools to analyze policy impacts on both the firm’s wealth and on social welfare. This research provides a step toward those improved tools.
Committee
Brian Roe, Ph.D. (Advisor)
Sathya Gopalakrishnan, Ph.D. (Committee Member)
Ian Sheldon, Ph.D. (Committee Member)
Pages
223 p.
Subject Headings
Economics
;
Information Technology
Keywords
cybersecurity
;
cyber security
;
data breach
;
economics
;
data breach notification
;
information security
;
information security economics
Recommended Citations
Refworks
EndNote
RIS
Mendeley
Citations
Garcia, M. E. (2013).
The Economics of Data Breach: Asymmetric Information and Policy Interventions
[Doctoral dissertation, Ohio State University]. OhioLINK Electronic Theses and Dissertations Center. http://rave.ohiolink.edu/etdc/view?acc_num=osu1365784884
APA Style (7th edition)
Garcia, Michael.
The Economics of Data Breach: Asymmetric Information and Policy Interventions.
2013. Ohio State University, Doctoral dissertation.
OhioLINK Electronic Theses and Dissertations Center
, http://rave.ohiolink.edu/etdc/view?acc_num=osu1365784884.
MLA Style (8th edition)
Garcia, Michael. "The Economics of Data Breach: Asymmetric Information and Policy Interventions." Doctoral dissertation, Ohio State University, 2013. http://rave.ohiolink.edu/etdc/view?acc_num=osu1365784884
Chicago Manual of Style (17th edition)
Abstract Footer
Document number:
osu1365784884
Download Count:
2,679
Copyright Info
© 2013, all rights reserved.
This open access ETD is published by The Ohio State University and OhioLINK.