Introduction

If companies do invest in cyber mostly to meet compliance requirements, then logically, they’ll invest just the minimum amount necessary to pass an audit. And indeed, received wisdom has it that companies do tend to under-invest in cyber, partly because in their haste to achieve certification, they discount the issue of negative externalities (e.g. [1], para 2.1).

When a breach takes place, not all of the impact will be felt by the company itself – some of it will fall to their customers, the general public, etc. The inconveniences felt by those other parties are the “externalities” [2, 3]. So because the breached company won’t see all the impact, it tends ...