| This dissertation contains three essays on the law and economics of cybersecurity. Chapter 1 contains the introduction to the problem and the review of the different technological, economic, and law-based solutions hitherto proposed to combat the problem.; Chapter 2, which contains the first essay, puts forward the idea that cyberinsurance can be a powerful tool to align market incentives toward improving cybersecurity. We present three economic arguments for cyberinsurance as well as conduct time and case studies to trace the evolution of the cyberinsurance industry. We conclude that in theory, there are significant theoretical foundations to support the case for cyberinsurance as a market-based solution to managing Internet security risks. In practice, although some implementation issues remain, cyberinsurers were able to find ways to address what used to be major problems, such as adverse selection, moral hazard, etc.; In Chapter 3, we examine whether firms whose computer systems are under attack should be permitted to hack back, and how the law of self-defense in cyberspace should be designed. We employ a formal, game-theoretic analysis of the strategic interaction between the hacker and the attacked firm/individual. We also include, in our extended model, Bayesian updating to capture the effect of intrusion detection system technology, as well as consider the social planner's perspective and the effect of different liability regimes. We conclude that neither total prohibition nor unrestrained permission of hackback is optimal. Instead, the model results suggest that hackback should be permitted when: (1) other alternatives, such as police enforcement and resort to courts, are either ineffective or ineffectual; (2) there is a serious prospect of hitting the hacker instead of innocent third parties; and (3) the damages to the attacked firm's (that is, the entity that is hacking back) systems that can be potentially mitigated outweigh the potential damages to third parties.; In Chapter 4, we study a model where cybercrimes are addressed through a combination of private and public measures, as well as study the public goods and externalities aspects of Internet security. We find that the socially-optimal level of security is achieved by equalizing the marginal-benefit-to-marginal-cost ratios of the different security measures. The interrelatedness of Internet risks causes firms to underinvest in private and public security goods. The government decidedly lowers the level of police expenditures to induce firms to invest in more precautions. Under certain conditions, cooperation results in socially-optimal levels of private and public security goods expenditures. |
