Is there a cybersecurity market failure?
That is the title of my Mercatus working paper (PDF), released yesterday. Basically, it aims to be a short course in public economics for tech policy analysts. Almost all policy wonks have taken Econ 101, perhaps even a graduate version, in which they learn that externalities can cause markets to get prices wrong, and that this can result in market failure. What my paper stresses is that this link, from externality to market failure, is not automatic.
The paper is heavy on “what Coase really meant” (lots of smart people get this wrong), on non-property institutions and norms à la Ostrom, and on the often-ignored inframarginal externality as discussed by Buchanan and Stubblebine. By applying these ideas to cybersecurity policy, I try to show that it is not at all as obvious as many analysts think that there is significant scope for welfare-enhancing regulatory intervention. The point is not that there is literally zero market failure, but that proponents of cybersecurity regulation have not done the work they need to to show that market failure exists, if it exists. Indeed, many policy analysts may not even realize they are missing something. I hope that this paper will correct that and lead to a more humble and cautious approach to market failure among its readers.
I have plans for more work on tech policy in the future. Internet security and governance is a great research topic for young, tech-savvy economists interested in polycentric governance and institutions. If you’re interested in doing research in this area, let me know, I may be able to help.