This dissertation provides theoretical, experimental, and empirical studies of topics important in security economics. Chapter 1 and 3 assess cybersecurity settings, in particular, and approaches that limit the frequency of incidents experienced. Chapter 2 provides an experimental justification of Conjectural Equilibrium, an important equilibrium concept particularly relevant to security environments where feedback is limited.
Chapter 1 studies a model of weakest-link network defense. In this model, the defender determines the internal accessibility of a valuable asset and allocates defensive resources prior to an attacker's decision to attack. In equilibrium, one of two resource allocations can arise: (1) both the defender and attacker allocate a strictly positive level of resources, or (2) the defender allocates a sufficient level of resources to deter attacks. As the defender's cost-adjusted valuation of an asset increases relative to the attacker, the defender is more willing to increase the internal accessibility of the asset, irrespective of the marginal benefit from increased accessibility. This model provides theoretical foundations for data breach and other cybersecurity settings.
Chapter 2 provides an experimental test of the Conjectural Equilibrium concept in a threshold public good game with limited feedback. Consistent with our predictions, we find evidence that strategy profiles that are Conjectural Equilibria but not Nash Equilibria are more likely as feedback decreases, and that subjects are more likely to hold incorrect beliefs as feedback decreases. However, the use of Conjectural Equilibrium as a predictive concept is complicated because risk aversion interacts with the feedback treatment, belief convergence occurs at different rates across treatments, and subjects intentionally choose to not maximize payoffs. Overall, our findings support a measured approach to using the Conjectural Equilibrium concept to obtain predictions in limited-feedback settings. These results are especially useful for understanding security settings, where agents often make decisions based on limited feedback.
Chapter 3 empirically examines the relationship between organizations' cybersecurity measures and their experienced level of incident frequency. Cybersecurity is an increasingly relevant concern for governments, businesses, and individuals. However, despite both rising investment in cybersecurity and frequency of cyber incidents, little research has been done to assess this relationship. Using fixed effects regressions over multiple thresholds of incident frequency, this paper identifies staff cybersecurity training, data storage rules, and restrictions on personal devices used for work as measures associated with reduced incident frequency. Furthermore, this paper provides a foundational assessment of how cybersecurity measures are associated differently with phishing versus non-phishing incidents, providing a first step in understanding the usefulness of measures in preventing incidents of different severities.