This chapter presents various reasons for the insufficiency of externalities in terms of the inference of market failure with regard to the field cybersecurity policy, which is claimed to be necessary for government intervention. The main argument of this chapter is that cybersecurity market failures are much smaller than initially assumed, and as a result, more harm might be done by trying to correct them through naïve government regulation.
TopIntroduction
Given the rapid changes in the field of computer networking its implications for our lives are uncertain. As a result, policy-makers differ in their views with regard to the regulatory action required in the field of cybersecurity.
Proponents of government intervention in cybersecurity assert that as market forces on their own cannot obtain the required level of security for the fulfilment of national security objectives regulation is necessary to establish the suitable level of cybersecurity (CSIS, 2008). Their rationale can be explained based on the economic concepts of public goods and market failure.
Those goods whose benefits are for all of society yet whose returns are difficult to capture for any individual are defined as public goods. For instance, without the incentives of the government, basic research could not be supplied by the market, so it counts as a public good. Similarly, cybersecurity is another such public good as market forces are not adequate.
According to Van Eeten and Bauer (2009), if social costs and benefits of security decisions are not correctly reflected in the incentives of the players in the value net due to externalities or public good aspects of security investments, there will be a systematic deviation from the social optimum. These authors claim that low security investments may lead to slower diffusion rates of IT uses and the related opportunity costs to society (Van Eeten and Bauer, 2009).
According to some policy analysts, a market failure can be inferred whenever an externality is observed. Yet, this inference would be a mistake as the observation of an externality is not sufficient on its own to infer a market failure despite the close relationship between externalities and market failure.
Within the light of economic literature, this paper purports to present various reasons for the insufficiency of externalities in terms of the inference of market failure with regard to the field cybersecurity policy which is claimed to be necessary for government intervention. The main argument of this paper is that cybersecurity market failures are much smaller than initially assumed and as a result, more harm might be done by trying to correct them through naïve government regulation.