Research
Our research takes an economic approach to digital security that focuses on the incentives of firms and consumers
Our work has received financial support from the UK Economic and Social Research Council (ESRC) Discribe Hub+, which forms part of the broader DSbD initiative. We have also published a number of peer-reviewed articles and reports in the areas of digital security, data privacy and competition.
Research Projects
Cybersecurity and Data Sharing Incentives: Implications for Business and Regulators
Mar 2024 - Aug 2024
Link to Funder's Website: ESRC Discribe Hub+
This project contributes to an improved understanding of market incentives and regulation in the area of cybersecurity by translating our research insights into actionable insights for businesses and regulators.
Secure Hardware Adoption in the Open Data Context
May 2022 - Apr 2023
Link to Funder's Website: ESRC Discribe Hub+
This project investigates the factors that drive firms’ decisions to adopt hardware that is digitally secure by design, with a particular focus on markets such as banking and energy that are subject to Open Data initiatives. Our research conducts original game-theoretic modelling work, studies the broader social and economic benefits that we derive from the adoption of secure technologies, and derives policy implications in relation to the existing UK data governance framework.
Resources: Project Report
Regulatory Interactions and the Design of Optimal Cybersecurity Policies
Feb 2021 - Jul 2021
Link to Funder's Website: ESRC Discribe Hub+
This project explores the design of policy measures incentivising cybersecurity investment and the economic interactions underlying the joint regulation of cybersecurity, data privacy and competition. We describe the current UK regulatory landscape affecting cybersecurity, analyse the economic interactions between data privacy and competition that affect the design of cybersecurity policies, and explore the need for regulatory co-ordination between data privacy and cybersecurity, and between competition and cybersecurity.
Resources: Project Report
Research Papers & Reports
Competition, Data Sharing and Secure Hardware Adoption
W. Lam & J. Seifert, 2024
Working Paper
Hardware security is fundamental to mitigating the growing risk of cyber-attacks. We study secure hardware adoption incentives in an imperfectly competitive market setting in which data controlling firms may also share consumer data with a third party. Data sharing and secure hardware adoption are shown to be weakly positively related in equilibrium and in the first-best. We also explore the conditions under which market-generated data sharing and secure hardware adoption incentives fall short of or exceed the social optimum. We show that data governance interventions to correct these market failures must be responsive the intensity of competition, among other factors.
Draft available soon
Regulating Data Privacy and Cybersecurity
W. Lam & J. Seifert, 2023
Journal of Industrial Economics
This paper studies firms’ data privacy and cybersecurity choices. We emphasize the strategic interdependence between these decisions and demonstrate that security in both the market equilibrium and the social optimum tends to be higher when data is shared. We also identify important market failures in the sense that firms tend to under-invest in security and over-share data. Our welfare analysis of a minimum security standard, disclosure and consumer education policies, liability rules and consumer mitigation strategies highlights the need for a co-ordinated approach to regulation.
Secure Hardware Adoption in the Open Data Context
W. Lam & J. Seifert, April 2023
Commissioned Project Report, ESRC Discribe Hub+
This project investigates the factors that drive firms’ decisions to adopt hardware that is digitally secure by design, with a particular focus on markets such as banking and energy that are subject to Open Data initiatives. Our research conducts original game-theoretic modelling work, studies the broader social and economic benefits that we derive from the adoption of secure technologies, and derives policy implications in relation to the existing UK data governance framework.
Regulatory Interactions and the Design of Optimal Cybersecurity Policies
W. Lam & J. Seifert, July 2021
Commissioned Project Report, ESRC Discribe Hub+
This report investigates the design of optimal cybersecurity policies. Our analysis focuses on incentives and explores how regulations can bring the private decisions of profit-maximising firms into line with the objectives of society as a whole. In so doing, we pay explicit attention to important regulatory interactions between cybersecurity, data privacy and competition. This is a crucial part of evaluating the welfare-desirability of any cybersecurity policy: in order to maximise social welfare, regulation must not only correct market failures in the area of cybersecurity but, at the same time, avoid exacerbating market failures in the related areas of data privacy and competition.
Does Data Protection Legislation Increase the Quality of Internet Services?
W. Lam & B. Lyons, 2020
Economics Letters
Digital firms attract consumers and collect their data by offering service enhancements and data security. These require separate types of investment. In light of the GDPR, data collection now requires explicit consumer consent, i.e. opt-in. This changes the consumer default option and the data provision decision when consumers are loss averse. We examine the consequences for investment. We set out the conditions under which opt-in increases both types of investment and when security comes at the expense of service quality. We further find that most consumer types gain, even when service quality falls.
Attack-Prevention and Damage-Control Investments in Cybersecurity
W. Lam, 2016
Information Economics and Policy
This paper examines investments in cybersecurity made by users and software providers with a focus on the latter's concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.