DATA INSECURITY LAW

By broad consensus, data security laws have failed to stem a rising tide of data breaches. Lawmakers and commentators blame these failures on some combination of underenforcement and the laws failure to recognize the full range of data breach harms. Proposed solutions would augment or expand existing data security laws. These proposed solutions share a fatal flaw: they are rooted in traditional theories of deterrence by punishment. Data security laws come in three forms: duties to protect data, duties to notify consumers after a breach, and post-breach remedies. Almost every data security law is enforced through sanctions, most of which are applied after a company discovers a data breach. In theory, companies increase their data security efforts to avoid sanctions. While appropriate for companies that purchase software, this approach is ineffective when applied to companies that build and provide software as an online service. In the cloud context, improving cybersecurity practices increases expected sanctions. And the cloud context matters. Online data security implicates almost all personal data; online services hold the lion’s share of personal data and offline firms rely heavily on cloud software to operate their businesses. This Article calls for a new approach to data security regulation, founded on a systemic view of data security practice. By focusing on system-level incentives instead of individual outcomes, lawmakers can bring data security law back into harmony with policy goals

Cyber Risk Management from a Resource Advantage Perspective

The cyber risk management system has become a top priority for organizations in the global economy, and the internet and digitalization have changed how people work and live, making it essential to manage cyber risks effectively. However, many organizations find it difficult to establish an optimal cyber risk management system due to a lack of a clear understanding of their current level of security, insufficient budget, limited skills, and knowledge, and/or lack of technical expertise. Importantly, risk management is a complex process that requires an organization to establish a comprehensive risk management system to manage its cyber risks. Identifying the right framework and achieving an optimal return on investment in their cyber risk management system is a key challenge for organizations today. Managing cyber risks requires substantial resources of the firm and resource allocation could affect cybersecurity readiness. The research will use a survey to measure the risk appetite, risk tolerance, resource allocation, company size, technology wariness level, and cyber security readiness of respondents’ organizations to understand each construct’s relationship with resource allocation and cyber security readiness. Targeted respondents are risk management, internal audit, and information technology governance seniors. Using cross-sectional regression, this paper finds that all variables, but company size have significant effects on resource allocation and its effect on cybersecurity readiness

An Empirical Investigation Of Hacking Behavior

Currently, very limited research is available to help researchers and firms understand the behavior of hackers.  As a result, misconceptions about hackers are formed based on lack of understanding about technology and failure in recognizing the differences among hackers.  We use addiction, intrinsic motivation (state), and self-monitoring (trait) theories to explain hacking.   We obtained 62 usable responses from hackers who completed our online research instrument.  Our findings showed that intrinsically motivated hackers were less discouraged by the possibility of being discovered and the rules imposed by regulatory authorities; however, no significant result was reported for rules imposed by the profession.  Individuals with high motivation to hack were found to be less discouraged by all three deterrence measures.  Participants who perceived hacking to be more consistent with their internal cues were less discouraged by the possibility of being discovered and the rules imposed by regulatory authorities; however, no significant difference was found for rules imposed by the profession.  Finally, contrary to our expectation, low self-monitors were more discouraged by all three deterrence measures than high self-monitors.  Additional research is needed to provide insight into this finding

An Economic Analysis of the Private and Social Costs of the Provision of Cybersecurity and other Public Security Goods

This paper examines the incentives of private actors to invest in cybersecurity. Prior analyses have examined investments in security goods, such as locks or safes that have the characteristics of private goods. The analysis in this paper extends this analysis to examine expenditures on security goods, such as information, that have the characteristics of public goods. In contrast to the private goods case, where individual uncoordinated security expenditures can lead to an overproduction of security, the public goods case can result in the underproduction of security expenditures, and incentives to free ride. Thus, the formation of collective organizations may be necessary to facilitate the production of public security goods, and the protection of information produced by the collective organization should be a central feature of such organizations

Commodifying Marginalization

Pillars of U.S. social provision, public pension funds rely significantly on private investment to meet their chronically underfunded promises to America’s workers. Dependent on investment returns, pension funds are increasingly investing in marginalized debt, namely the array of high-interest-rate, subprime, risky debt—including small-dollar installment loans and other forms of subprime debt—that tends to concentrate in and among historically marginalized communities, often to catastrophic effect. Marginalized debt is a valuable investment because its characteristically high interest rates and myriad fees engender higher returns. In turn, higher returns ostensibly mean greater retirement security for ordinary workers who are themselves economically vulnerable in the current atmosphere of public welfare retrenchment. They must increasingly fend for themselves if they hope to retire at a decent age and with dignity, if at all. This Article surfaces this debt-centered relational connection between two socio-economically vulnerable groups: retirement-insecure workers and marginalized borrowers. It argues that in the hands of private financial intermediaries, whose fiduciary duties and profit-sensitive incentives eschew broader moral considerations of the source of profits or the social consequences of regressive wealth extraction, depends openly on the tenuous socioeconomic condition of one community as a source of wealth accumulation for another vulnerable community. Consequently, it argues that the incursion of private entities into the arena of public welfare is pernicious because it commodifies and reinforces the subordinate socioeconomic conditions on which marginalized debt thrives

Ex Ante and Ex Post Investments in Cybersecurity

This paper develops a theory of sequential investments in cybersecurity in which the software vendor can invest ex ante and ex post. The regulator can use safety standards and liability rules as means of increasing security. A standard is a minimum level of safety, and a liability rule states the amount of damage each party is liable for. I show that the joint use of an optimal standard and a full liability rule leads to underinvestment ex ante and overinvestment ex post because the software vendor does not suffer the full costs of the society in case of security failure. Instead, switching to a partial liability rule can correct the inefficiencies. This suggests that to improve security, the regulator should encourage not only the firms, but also the enterprises to invest in security. I also discuss the effect of network externality and explain why firms engage in "vaporware"

Ex Ante and Ex Post Investments in Cybersecurity

This paper develops a theory of sequential investments in cybersecurity in which the software vendor can invest ex ante and ex post. The regulator can use safety standards and liability rules as means of increasing security. A standard is a minimum level of safety, and a liability rule states the amount of damage each party is liable for. I show that the joint use of an optimal standard and a full liability rule leads to underinvestment ex ante and overinvestment ex post because the software vendor does not suffer the full costs of the society in case of security failure. Instead, switching to a partial liability rule can correct the inefficiencies. This suggests that to improve security, the regulator should encourage not only the firms, but also the enterprises to invest in security. I also discuss the effect of network externality and explain why firms engage in "vaporware"

Marketing Aspects of Technology Ventures

Cílem diplomové práce je analýza marketingových nástrojů použitých firmou XAX a následně vyhodnotit a navrhnout zvýšení jejich efektivity. Popis strategie společnosti a faktory ovlivňující budou identifikovány. Práce obsahuje návrhy a doporučení na zvýšení efektivity marketingových nástrojů dané firmy v oblasti High-tech odvětví.The aim of diploma thesis is to analyze marketing tools used in Company XAX and under this condition evaluate and purpose increase efficiency used tools. The current marketing strategy of the company is described and main influencing factors are identified. The thesis contains proposals and recommendations for tools usage in the field of High-tech marketing.