George Mason University Antonin Scalia Law School

Are Firms and Consumers Investing Enough in Data Security?

In his new white paper, Are Firms and Consumers Investing Enough in Data Security?, Program on Economics & Privacy affiliated scholar, Sasha Romanosky surveys the cybersecurity terrain and shows the gaps in the tool set used to assess cyber risks and resulting harms in order to answer the question of whether firms and consumers take enough care to protect personal information.

Many consumer advocates and security and privacy professionals have concluded that companies are not spending enough on IT security. Their assessments are buttressed by the numerous reported cyber incidents and data spills over the past decade. Clearly, these security breaches, privacy intrusions, and software vulnerabilities show that companies are not spending enough to protect consumers’ data and produce safe applications. But there are two problems with this conventional wisdom. First, it ignores the consumer in the model of optimal data security. And second, it wrongly assumes that the right level of security investment would eliminate data breaches altogether.

This white paper helps correct the discussion on both counts.

Read the full report here.