A Model of Information Security and Competition

Cyberattacks are a pervasive threat in the digital economy, with the potential to harm firms and their customers. Larger firms constitute more valuable targets to hackers, thereby creating negative network effects. These can be mitigated by investments in security, which play both a deterrent and a protective role. We study equilibrium investment in information security under imperfect competition in a model where consumers differ in terms of security savviness. We show that the competitive implications of security depend on firms’ business models: when firms compete in prices, security intensifies competition, which implies that it is always underprovided in equilibrium (unlike in the monopoly case). When firms are advertising-funded platforms, security plays a business-stealing role, and may be overprovided. Regarding policy, the structure of the optimal liability regime also depends on firms’ business model.

History: Hema Yoganarasimhan served as the senior editor. This paper has been accepted for the Marketing Science Special Section on Digital Platforms in Marketing Science.

Funding: A. de Cornière received financial support from Agence Nationale de la Recherche [Grant ANR-17-EURE-0010] (Investissements d’Avenir program). G. Taylor received financial support from the Digital Economics Research Network.

Supplemental Material: The online appendix is available at https://doi.org/10.1287/mksc.2023.0513.