1 Introduction

The digital economy is a ubiquitous part of our culture and a key commercial activity. The vast majority of Americans have continuous access to the Internet, which they use for entertainment, research, work, and socializing (Kende, 2021: 61). The average American spent over six hours per day consuming digital media, mobile messaging, and shopping online in 2018 (Brynjolfsson & Collis, 2019). In terms of output, the Bureau of Economic Analysis (BEA) estimates that the value added of the digital economy value surpassed $2.1 trillion in 2020, which accounts for more than 10% of the United States (U.S.) gross domestic product (Highfill & Surfield, 2022). The digital economy is now the fourth most significant economic sector, behind real estate, government, and manufacturing.

The digital economy’s pervasiveness and growing valuation necessitate those individuals possess a “freedom from the risk of danger when interacting in cyberspace” (Coyne & Leeson, 2005: 475). However, the conventional wisdom finds that the market permits excessive risk due to an inadequate provision of cybersecurity, which is defined here as the protection of digital information from malicious exploitation by preventing, detecting, and responding to attacks.Footnote 1 The market ostensibly fails in the traditional welfare sense, where information problems and externalities allow vendors to produce a private supply of security that is well below a socially desirable amount. Growing cyber risks and costs are commonly cited as clear evidence of the market’s inability to self-regulate. The International Monetary Fund finds that cyber risk threatens “system-wide stability” of the financial markets (Adelmann et al., 2020: 5). The Federal Bureau of Investigation’s 2022 Internet Crime Report estimates the potential loss from cybercrime at $10.2 billion per year.

This paper critically evaluates the assertion that the cybersecurity market fails to self-regulate. An understanding of the cybersecurity market failure argument is first necessary to determine whether the prevailing beliefs are misguided. Section 2 provides a literature review of the purported reasons for suboptimal cybersecurity production and their market failures, which are limited data sharing and a predominance of poor cybersecurity quality. The market failure narrative assumes that the very existence of a negative outcome is evidence of failure. Section 3 examines how entrepreneurs invest in cybersecurity proportional to the value of the consumers’ data, thereby negating claims of poor-quality hegemony. The conventional wisdom also overlooks the market’s role as a discovery process and how underlying market institutions induce purposeful action on the part of entrepreneurs. Section 4 examines the role of the cybersecurity entrepreneur in producing innovations that have addressed the purported market failures. Section 5 concludes the assessment.

2 The market failure argument

Market failure is a term with relatively high polysemy in the extant economics literature. Some economists use the fundamental theorems of welfare economics to define failure as market outcomes that are not Pareto efficient. Externalities, public goods, natural monopolies, and information problems are cited as core reasons for inefficient market outcomes in the technical welfare economics sense, which warrant government intervention via subsidies or taxes in order to align private and social marginal costs (Bator, 1958; Baumol, 1952). Under the same paradigm, market failure means inequal outcomes, which are solved via government redistribution in accordance with the second welfare theorem. Alternatively, Keynesian macroeconomists identify market failure as situations where aggregate demand fails to generate full employment, which necessitates government fiscal policy to realign total demand with total supply. The existence of profit opportunities is yet another connotation for market failure. Hayek’s Competition as a Discovery Procedure (2002 [1968]) pioneered the analysis of the competitive market as a process that dynamically adjusts to changing conditions. In this case, market failures are temporary inefficiencies that spur remedial action by alert, profit motivated entrepreneurs.

Technical welfare connotations, specifically large externalities and information problems, are two of the most common economic explanations for cybersecurity market failure. Both issues reputedly cause incentive misalignment between producers and consumers, which leads to private investment in cybersecurity that is well below the socially efficient investment level (Kopp et al., 2017). Two outcomes, bad products and data hoarding, are routinely cited as empirical evidence of the failures caused by perverse incentives. In terms of the former, the majority of IT products are putatively produced with minimal, low-quality cybersecurity. As for the latter, a dearth of threat information sharing, which is the sharing of information about software vulnerabilities, network weaknesses, and cyber-attacks, is claimed to intensify cyber risks.

Market interventionists profess that both negative and positive externalities exist in the cybersecurity market. The existence of insecurity on a decentralized, interconnected system generates negative externalities because the security of any one individual is dependent upon all others (Moore, 2010: 107). People can free ride off the investments made by security conscience individuals. Firms forgo cybersecurity investment in favor of private good characteristics, like unique software features, because they cannot recoup their investment (Anderson & Moore, 2006; Kende, 2021: 112–114). Moreover, firms ostensibly possess weak incentives to secure their systems because they do not incur the full costs of their vulnerabilities, as other businesses and individual consumers bear the majority of the burden (Schwalb, 2006: 169, Sales, 2013: 1508; The U.S. Government, 2023).

Information sharing of cyber threats creates positive externalities, which enhances security for all participants (Bauer & Van Eeten, 2009: 717). However, the positive externalities are not captured because software vendors are allegedly disincentivized from communicating threat information, such as their system vulnerabilities and attempted cyber-attacks, with others (Langevin, 2017; Swinhoe, 2019). Several reasons exist for why information is withheld. Rosenzweig (2011: 9) argues that businesses are motivated to withhold threat information because the disclosure of an attack may harm a business’s reputation, lead to liability claims, and result in negative financial returns. Sales (2013: 1532) and Weiss (2015: 5) argue that firms withhold relevant cybersecurity information to maintain a competitive advantage over their rivals and to prevent free riding from competitors. Finally, large transaction costs may limit the creation of credible commitments among data recipients to appropriately safeguard and handle sensitive data. As two examples, information sharing imposes risks that trust is violated by a recipient (Tosh et al., 2015: 1220) or that the information is maliciously obtained by cyber criminals (Skibell, 2003: 132).

Information asymmetry, a second oft cited market failure reason, supposedly exists between the suppliers of cybersecurity and consumers, leading to a suboptimal private provision of cybersecurity (Anderson, 2001; Gordon & Loeb, 2002; Anderson & Moore, 2006; Acquisti et al., 2016: 447–448; Kende, 2021: 114–116). Consumers ostensibly possess scant information because cybersecurity is highly complex, making a comprehensive evaluation of potential security risks nearly impossible for the average consumer (Acquisti et al., 2017, p. 2). Cybersecurity putatively holds credence good qualities as well, where verifying data security is costly even after consuming software products (Vagle, 2020: 81). Threat data stockpiling by reputation or competition conscious firms exacerbate these information problems. Persistent asymmetry allows firms to engage in moral hazard by shifting cyber risk to their consumers in the form of inferior security, while claiming high quality (Kende, 2021: 109–110), and by disclaiming any liability for a potential failure (Anderson et al., 2009: 59). Schneier (2007b) alleges that consumers struggle to form trust in the security of IT devices, leading to adverse selection where poor cybersecurity is the standard across many market segments. Anderson et al. (2009: 58) asserts that the prevalence of bad security products driving out good ones “has long been known” due to an adverse selection problem.

Existing literature offers reason for skepticism regarding the cybersecurity market failure arguments. Powell (2005) and Nye (2014) dispute the externalities claim. The amount of investment in cybersecurity and the growth of a cybersecurity market discredit claims of significant underinvestment and freeriding. Likewise, information asymmetry problems are typically overstated given the predominant role of businesses as cybersecurity consumers, who are incentivized to invest in cyber information because cyber-attacks can significantly threaten operations and financial viability (Hepfer & Powell, 2020; Nolan & McFarlan, 2005). These investments are evidenced by the rapid growth of the vulnerability analyst labor market, the implementation of auditing requirements in IT outsourcing contracts (Chen & Bharadwaj, 2009), and the adaptation of corporate governance mechanisms, like the board of directors’ roles and responsibilities, to improve cybersecurity monitoring (Benaroch & Chernobai, 2017).

The technical welfare market failure assertions also implicitly conclude that cybersecurity is undersupplied due to the very existence of adverse outcomes, thereby ignoring both the possibility and desirability of perfect security. In regards to the former, system risk is innate to interconnected networks. Wolff (2018: 48–49) puts forth the “often repeated truism of computer security” that perfect security, like vulnerability-free software, is impossible. Banks and credit card companies, for example, must endure the “static secret” of credit card numbers that are inherently vulnerable to exploit as the data is repeatedly communicated across many parties in a complex system (Bonneau et al., 2015: 84). For the latter, not all data is equally valued by market participants. Suppliers ought to make cybersecurity investments in accordance with the value that their customers place on data security relative to other product attributes. Evidence of self-regulation given consumer security preferences is covered in the next section.

3 The satisfaction of cybersecurity preferences

Market interventionists implicitly conclude that cybersecurity production is inadequate due the existence of bad events, like cyber-attacks; however, the manifestation of a bad event is not a sufficient criterion for asserting market failure. Due to the impossibility of perfect security, the conclusion is unfalsifiable. In addition, consumers’ value of their data, such as product purchase information, social media activity, and home address, is critically important for an accurate market failure determination. Data valuation is disparate across cyberspace because security is a substitute for other product attributes and data’s intrinsic value is variable. Greater security may limit software operating speed or delay the release of a new product with improved capabilities, which are also desirable features for consumers. The intrinsic value of data largely depends on the potential damage that would occur if the information is compromised by cyberspace belligerents, who are otherwise known as black hat hackers.

Although several motivations exist for hackers, they typically prioritize extractable wealth (Herley, 2013: 91). Personally identifiable information (PII), such as social security numbers and bank login details, and personal health information (PHI), like medical record numbers and health insurance information, are generally assumed to possess high security value because hackers can use the data to replicate a person’s identity and then engage in fraud. Combinations of PHI and PII are even more valuable as a sophisticated thief could take over an individual’s accounts with lower probability of detection, leading to greater financial expropriation (Epstein & Brown, 2008: 213).

Privacy Affairs generates an annual price index for consumer data sold on the Dark Web. Payment processing services, meaning firms that process financial transactions, possess the highest average prices for stolen data in 2023, while social media and hacked service data were sold for relatively minimal cost (Zoltan, 2023). Chase Bank online login data, for example, sold for $500 per account, while compromised Facebook and Spotify accounts cost $25 and $10, respectively. Consequently, the prices for stolen consumer data are consistent with its intrinsic value because the extractable wealth from banking login information is signficiantly higher relative to a social media account.

The appropriate amount of cybersecurity investment by a firm is dependent upon the data’s value, which in turn is driven by consumer preferences. Unequal data values mean that varying levels of cybersecurity investment are appropriate. Therefore, an adverse event may be acceptable when a relatively low valuation is placed on the data. On the contrary, greater investments in self-regulating mechanisms should be expected when the underlying data is highly valuable, like banking and finance PII. Empirical evidence for the latter follows.

Businesses responsible for protecting valuable data are incentivized to invest more in cybersecurity mechanisms because consumers internalize greater losses when a failure occurs. Thus, consumers are more likely to punish or reward a firm for poor or good security, respectively. As expected, the finance industry is the leader in information security investment because a large-scale failure would cause irreversible harm to consumer confidence in their IT services (Gaynor et al., 2015: 112–113). The Payment Card Industry (PCI) is incentivized to minimize data breaches because they limit the adoption and usage of credit cards and victims may take legal action to collect damages (Deitcher, 2009). PayPal, a leading payment processing company, asserts that consumer confidence in the security and safety of transactions on PayPal’s platform is one of the most significant risk factors threatening operational viability (Trautman, 2016: 284). Akin to the PCI’s motivations, unauthorized publication of users’ data could impair the firm’s reputation and lead to financial loss or litigation (Trautman, 2016: 289).

Industry participants respond to these profit and loss incentives by instituting mechanisms to self-regulate the security of high value payment processing data. Market leading credit card companies cooperatively and voluntarily established the PCI Data Security Standards (PCI-DSS) in 2004 to set security requirements for any organization that handles or processes credit card information. The PCI standards established best practice requirements, such as the implementation of technical security tools, data breach remediation procedures, and a continuous demonstration of compliance (Epstein & Brown, 2008: 215–216). As an example, PayPal licenses third party encryption and authentication technologies in order to secure the communication of consumers’ sensitive PII (Trautman, 2016: 288). In addition, the PCI Security Standards Council strictly monitors membership performance and will levy large fines and expel organizations for failing to protect consumer data (Gaynor et al., 2015: 116).

The payment card processing chain is complex and includes many organizations, like the merchant where the transaction is initiated, the merchant’s bank, the issuing bank, and the card company, all of varying size. Therefore, the minimum level of security practices is tiered to reflect the data value of each member; relatively large stakeholders with more resources and more data must implement stricter controls (Gaynor et al., 2015: 113–114). Given the significant valuation of processing data, many of the industry leaders go above and beyond the most stringent requirements with advanced cybersecurity solutions. Shortly after the launch of the PCI DSS, Visa announced the implementation of an innovative authorization system that examined each card’s usage both intertemporally and cross-sectionally to detect anomalies (Epstein & Brown, 2008: 214). Leading providers typically use multiple, parallel security mechanisms and routinely introduce new modes of operation, like progressive or continuous authentication, to validate a transaction (Bonneau et al., 2015: 79–85).

The investments in self-regulatory mechanisms are effective. Market failure would result in reduced mutually beneficial exchanges, which has not occurred. On the contrary, the growth in payment processing transactions, exhibited by mobile banking usage, is exceptionally large. According to surveys conducted by the Board of Governors of the Federal Reserve, 22% of respondents adopted mobile banking practices in 2011. By 2015, the last year the Board reported on this metric, mobile banking usage increased to 43% of respondents (Dodini et al., 2016: 9). Moreover, PayPal, states that the number of users for Venmo, a mobile payment service, rose from 3 million in 2015, to 40 million in 2019, and to 78 million in 2022. Despite the rapid growth in payment processing, the number of security incidents for the financial business sector was relatively constant between 2005 and 2019 (Seh et al., 2020).

The banking and finance case study reveals that entrepreneurs adeptly satisfy consumer preferences with sophisticated self-regulating solutions when consumers prefer strong cybersecurity. Failing to account for the desirability of cybersecurity is not the only manner in which regulatory advocates are misguided. Government interventionists often cite a static stock of bad outcomes, while overlooking whether the underlying causal factors are persistent. The reasons for poor cyber quality and successful cyber-attacks may change. New errors may emerge as current ones are resolved. In fact, market solutions to cybersecurity challenges could be improving, but vulnerabilities and breaches persist due a growing cyberspace, motivated hackers, data’s variable value, and imperfect calculations executed by entrepreneurs as they try to pierce through the veil of ignorance.

Instead of a static evaluation, economists must analyze the extent and speed to which the underlying causes of discoordination are remedied. Cybersecurity entrepreneurs may play a critical role in resolving market issues by correcting errors and improving upon cybersecurity outcomes over time. These individuals operate within the institutions of a dynamic market process, which possesses mechanisms that inform and motivate coordinating cybersecurity improvements. The next section applies the entrepreneurial discovery process and price theory to empirically refute market failure claims by dynamically measuring the removal of disequilibria via marketplace innovation.

4 Market process driven innovation

Price theory and the market process provide economists with a useful framework to examine the conventional wisdom that cybersecurity self-regulation does not work. This study argues that the market failures are, in fact, profit opportunities. Rather than a state of settled affairs, the cybersecurity market, like all markets, is one of continuous and fluid activity with disequilibrium as a feature of the process. Equilibrating solutions emerge from an evolution of exchanges and engagements, each involving mutual gains (Buchanan, 1964: 218). Changes to the underlying market variables, which include resource constraints, consumer preferences, and technological possibilities, induce changes to relative prices (Kirzner, 1992). Entrepreneurs, who are alert to relative price changes and motivated by financial rewards and losses, act to resolve inefficiencies that typically move the market “systematically toward, rather than away from, the path to equilibrium” (Kirzner, 1997: 62). “Today’s inefficiency is tomorrow’s profit opportunity” for individuals that align the underlying market variables with the induced variables, thereby improving the state of affairs for all (Boettke, 2002: 269–270).

If today’s inefficiency is tomorrow’s profit opportunity, then yesterday’s low security product is not necessarily evidence that today’s market is failing because cybersecurity entrepreneurs ought to engage in innovation that resolves the causal forces of market discoordination. Empirically, the effectiveness of cyber innovation is based on Kirzner’s (1997: 76) test of market efficiency, which emphasizes the degree, accuracy, and speed that the entrepreneurial discovery process corrects the errors, not the existence of the errors themselves. The breadth and scope of the cybersecurity industry is tremendous, making a comprehensive exploration of entrepreneurial activity infeasible. Therefore, several use cases are selected to empirically evaluate market process efficiency in guiding alert entrepreneurs to solve cybersecurity market disequilibria over time. The examination includes three use cases, one for each type of innovation: production processes, outputs, and organization, (Kirzner, 1985: 86). Each use case sequentially follows the entrepreneurial discovery process, starting with a description of a production malinvestment, then identifying the shift in the underlying market variables, and finally, ascertaining how alert entrepreneurs introduced discoordination solving cybersecurity innovations that resulted in profits or (more typically) quelled financial losses.

4.1 Software patching

Operating system (OS) maintenance, specifically software patching, is a first use case and focuses on cybersecurity production process improvements. Timely, recurring computer and mobile OS system patch updates are a standard today; however, this process was not always pervasive. Personal computing proliferated in the 1980s and most software vendors were very slow to fix a vulnerability or ignored the issue altogether. Some industry experts alleged that patches were considerably delayed because the vendors did not internalize all the costs from a data breach (Arora et al., 2008: 642). Rather than issuing patches for known vulnerabilities, vendors assumed that secrecy would prevent an exploit (Schneier, 2007a). The “secrecy as security” argument falsely assumed that market participants, like hackers, software researchers, and consumers either could not discover the bugs themselves or would not exploit vulnerabilities due to copyright law or an informal respect for the vendor’s property.

This approach to software maintenance was ineffective. The underlying changes in technology that allowed for personal computing to flourish dramatically increased the number of potential security issues. Market participants discovered a significant number of the flaws (Cavusoglu et al., 2007: 171–172) and preferences for software fixes evolved. Informed consumers and security consultants expressed their disapproval with major software vendors by engaging in a policy of public disclosure, where the full details of a vulnerability are published to the general public without restriction (Cavusoglu et al., 2007: 172; Schneier, 2007a). As one example, public disclosure mailing lists, like Bugtraq, were established in the late 1990s to openly exchange information on new software bugs (Arora et al., 2008: 642). Black hat hackers could readily develop an exploit for a publicly disclosed vulnerability, which resulted in more cyber-attacks (Arora et al., 2004: 1287). Customers of major vendors, like Microsoft, “pressed the company to make serious changes or risk losing them all to LinuxFootnote 2” because of public disclosures and the increased risk of attack (Menn, 2019: 84).

In terms of the market process, imperfect knowledge led to behavioral patterns that “failed to achieve mutual consistency” (Boettke, 2014: 239). Software vendors misallocated software operations and support resources, which increased security risks and failed to meet consumer preferences for digital security. Customer disapproval of these errors, or maladjustments, were communicated to vendors through public disclosure of vulnerabilities and customer complaints. The maladjustments were ultimately felt in the price system through negative reputational effects and operational losses that forced changes in the plans of market participants as Kirzner ([1963] 2011) and the market process theory envisioned. The increased risk of attack and the complaints by security consultants and customers compelled software producers to issue patches (Schneier, 2007a; Menn, 2019: 56). Empirically, Arora et al. (2004, 2010) find that public disclosures significantly expedited the deployment of a vendor’s patch.

Nevertheless, new discoordination appeared from the onslaught of vendor issued patches. During the early 2000s, vendors began to issue well over a hundred patches per week, but the high frequency and unpredictability of fixes generated significant administrative costs and uncertainties for consumers (Cavusoglu et al., 2008: 658). The National Institute of Standards and Technology (NIST) noted that failing to properly patch software and systems was a “common mistake” due to new patches that were released daily, making it “difficult for even experienced system administrators to keep abreast of all new patches” (Mell & Tracy, 2002: 1). Vendor issued patches were often poorly designed as well. System administrators needed to extensively test patches upon receipt to ensure that they did not break the overall system (Schneier, 2009). As a result, some patches were not implemented by recipients in a timely manner, which increased insecurity for businesses (Fiscutean, 2023).

The underlying market variables fluctuated, which again induced changes in the relative prices that software vendors consequently observed. The number of vulnerabilities grew exponentially between 1997 and 2006 (Shahzad et al., 2012: 774) due to technological innovation and expanding IT networks. More vulnerabilities raises the potential number of cyber-attack incidents, which translates to higher costs of insecurity for vendors and consumers. In turn, customers expressed preferences for greater security and certainty in the patching process. Mills (2009) states that Microsoft incurred consumers’ wrath for releasing software with security issues. Gupta and Kankanawadi (2022) note that business customers reconsidered their use of Microsoft’s products. Empirically, vendors who experience a cyber-attack are financially punished. Garg et al. (2003) executed a data breach event study with several Microsoft events and conclude that cyber-attacks resulted in significant abnormal negative returns.Footnote 3 In general, the market responds negatively to the announcements of data breaches. Ali et al. (2021) conducted a literature review of over 75 event studies between 2003 and 2019, finding that the majority of data breaches result in a significant negative return.

Many vendors, therefore, were driven to prioritize improved software security (Cavusoglu et al., 2007: 171). Microsoft, the most dominant software vendor, was motivated by “market forces” and a need to establish trust with computer users (Lipner, 2004: 2). They established a Trustworthy Computing (TwC) initiative in 2002 to make cybersecurity a top priority (Mills, 2009). As part of the initiative, Microsoft invested heavily in developing higher quality software that “requires less updating through patches and less burdensome security management” (Lipner, 2004: 2). Resources were reallocated to security, as Microsoft vulnerability analysts became critical personnel with access to large budgets (Fiscutean, 2023). In addition, Microsoft commenced Patch Tuesday in 2003, which shifted the paradigm from irregular, poorly tested patches, to batch patching on the second Tuesday of each month.

The improved patching process reduced implementation costs for users and lowered the uncertainty for system administrators (Fiscutean, 2023). After reviewing the improvement in cybersecurity outcomes, security experts, like Schneier (2009), claimed that Patch Tuesday was a resounding success. Microsoft earned a much-improved reputation for its cybersecurity, which has led to long run profitable cybersecurity opportunities in relatively new IT domains, like cloud computing (Wingfield, 2015).

For the market overall, the degree, speed, and accuracy of error correction provides relatively strong evidence of market efficiency. Customers of other vendors requested improved predictability in software patching (McMillan, 2008), which led to routine patching becoming an industry standard (Fiscutean, 2023). The NIST’s 2012 Guide to Enterprise Patch Management notes that “many organizations have largely operationalized their patch management” (Souppaya & Scarfone, 2013: vi). Moreover, patching innovations significantly improved cybersecurity quality. Shahzad et al. (2012) calculated the annual percentage of software vulnerabilities that were patched before general public notification. After a nadir point of 40% in 2005, the rate sharply rose and exceeded 85% for the years 2008–2011Footnote 4 (Shahzad et al., 2012: 777).) The authors also find that private sector corporations invest more resources to secure their products and issue more timely patches relative to non-profit, open source organizations (Shahzad et al., 2012: 777). Finally, Anderson et al. (2009: 9) concede that core software vendors have shown evidence of security improvement over time.

As an expected part of the market process and entrepreneurial discovery, equilibrium market outcomes remain elusive. Today, software vendors generally provision patches in a timely manner; however, customers may not adequately implement the fixes. A majority of today’s cyber-attacks occur due to poor patch management by business consumers, where a vulnerability with a known patch was exploited (Sheridan, 2020). Nevertheless, the market process offers reason for hope as entrepreneurial innovations continue to move the market towards a higher cybersecurity equilibrium. Automatic patching, patch management tools, and cumulative updates are three types of recent process innovations that streamline patching for business and individual consumers (Fiscutean, 2023). Alert entrepreneurial actors acting within market institutions have created and continue to create patching innovations to solve discoordination and improve cybersecurity quality, which refute the claims of misaligned incentives and poor cyber products.

4.2 Authentication products

Cybersecurity product innovation is a second use case to empirically assess the claims that poor cyber quality products typically drive out good quality products. At a macro level, the general consensus view is doubtful. NIST’s Cybersecurity Framework details core activities for effective security risk management. Clarke and Knake (2019: 70–72) argue that cybersecurity technological advancement has evolved to master each risk management function over the past 50 years. Ehrlicher (2021) comments that cybersecurity is constantly evolving with innovations in both attacks and defensive measures. Zero trust architectures, digital forensics, public key cryptography, and blockchain technologies are several of the many prominent cybersecurity oriented product innovations that are part of the American lexicon today.

Digital authentication products, such as passwords or biometrics, serve as a specific cybersecurity product innovation exemplar. Historically, only a password, a single factor, was required for a user to access controlled digital material, like a company’s webpage or an employer’s computer network. The market’s underlying technologies subsequently changed as hackers began to employ tactics, like brute forceFootnote 5 and phishingFootnote 6 cyber-attacks, that rendered single factor unreliable and led to disequilbrium (Gunson et al., 2011). Moreover, consumers asserted their preferences for simplistic passwords, rationally forgoing the relatively high costs and low benefits of complex authentication (Herley, 2009). Relative prices changed. Verizon’s annual Data Breach Investigations Report cited the increasing costs of cyber-attacks with compromised credentials as a leading cause of successful data breaches.

Multi-factor authentication (MFA) products, introduced beginning in the mid-1990s, presented a potential solution to the aforementioned discoordination. Microsoft, for example, introduced a “smart card system” in 2004 that required customers to use both a physical card and a password to access their system (Clarke & Knake, 2019: 129). Nonetheless, a good invention does not necessarily make for a good product. The market provides entrepreneurs with a compass, through the profit and loss mechanism, which determines whether an invention is also a societally useful innovation that will be accepted by consumers (Boettke & Sautet, 2011: 41–42). Despite the superior security, the idea failed because it did not align with underlying market resources, technologies, and preferences. The system imposed significant card-carrying costs and increased login time for consumers (Bonneau et al., 2015: 80; Clarke & Knake, 2019: 129).

Alert entrepreneurs soon discovered different types of MFA solutions given the incessant fluctuations in current knowledge and available information regarding underlying tastes and technologies. The increased frequencies of and costs from cyber-attacks increased the taste for MFA, while consumer costs significantly declined as smart phones became a prevalent secondary method for authentication (Odlyzko, 2019: 13). Companies like Okta and Duo Security became “darlings of Wall Street” due to their societally useful smart phone MFA innovations (Clarke & Knake, 2019: 131).

The market process is relatively efficient as measured by speed, degree, and accuracy of MFA adoption. Claims of low adoption exist, but they typically focus on consumers voluntarily foregoing MFA (Das et al., 2019), which is plausible because consumers may place a low valuation on data privacy (Fuller, 2019). However, MFA is now common for industries and market segments where the value of protected assets, like financial transactions, is high (Bradford, 2023). Regarding the degree of adoption, Duo Security was acquired by Cisco for over $2 billion dollars in 2018, while Okta’s market valuation exceeded $10 billion dollars in 2022. In terms of accuracy, MFA currently prevents the vast majority of brute force and phishing cyber-attacks (Bradford, 2023). In summary, this use case provides additional empirical evidence that contradicts commonly held beliefs that poor quality products pervade the cybersecurity market.

4.3 Vulnerability sharing

Organizational entrepreneurship is a third and final use case to evaluate whether entrepreneurs address market inefficiencies associated with information sharing externalities. The analysis of the cybersecurity entrepreneur so far has been limited to actions within the confines of the market; however, entrepreneurship can also occur “over the rules of the game” (Leeson & Boettke, 2009: 252). This institutional entrepreneurialism occurs when individuals ascertain new methods for enforcing informal institutions in the absence of formal mechanisms (Redford, 2020: 145). Institutional entrepreneurs create private mechanisms of securing property rights when these protective mechanisms are not provisioned by the public sector (Leeson & Boettke, 2009: 253).

Digital security public protection mechanisms are limited for several reasons, one of which is authenticating one’s online identity. Several mechanisms exist for individuals to remain anonymous online, which limits the ability to detect and punish individuals or groups that violate the formal rules. Cyberspace’s international domain also limits the effectiveness of public safeguards. Sovereign nations encounter jurisdictional constraints, such as the legitimacy to assert control over global cyber phenomena (Benson, 2005: 329–334). Even if the U.S. government were able to identify a particular hacker, extradition and punishment is infeasible if the hacker is operating within an adversary’s borders. Public protection mechanisms are limited due to the inherent characteristics of decentralized IT networks as well. The increased complexity and interdependency of information systems raises the intricacy and number of security risks, which erodes the property rights of IT (Sauerwein et al., 2017: 837). Moreover, commonalities in threat information overlap across organizations, but no one entity possesses the knowledge to accurately assess the entire landscape (Barnum, 2012: 5–6).

Academic and industry literature generally agree that information sharing by organizations improves resistance to cyber-attacks, strengthens cyber-attack mitigation and remediation capabilities, and improves knowledge regarding current and future risks (Pala & Zhuang, 2019: 179–180). Despite the public protection challenges, the U.S. government has taken measures to establish cyber incidence response and vulnerability sharing organizations. Several efforts have achieved considerable success, like the Forum of Incidence Response and Security Teams (FIRST). Started primarily as a public research and education network in 1985, FIRST is a global incidence response organization that interconnects cybersecurity experts to share industry best practices and respond to cyber incidents.

However, many other government data sharing efforts have encountered noteworthy challenges. The National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS) is tasked with developing private sector partnerships and methods to share vulnerability information. The government, unfortunately, lacks the incentives to adequately share relevant and timely data with the private sector, resulting in information hoarding within bureaucratic stovepipes (Douris, 2017: 7–8). Classification constraints, which can include the methods and sources used by a government agency to identify a vulnerability, further limit data sharing capabilities with the private sector (Rosenzweig, 2011: 12). Government organization credibility is damaged by the limited motivations and abilities to share threat data (Douris, 2017: 8–9). As one example, a 2005 Government Accountability Office (GAO) report found that the federal agencies had not established adequate trust with information sharing organizations, noting “private sector concerns about what the DHS would share with other federal agencies” (GAO-05-434 2005: 21).

Absent public protection technologies, institutional entrepreneurs are another option to secure the informal property rights structure so that productive activity may ensue (Redford, 2020: 146). International trade provides an analogous precedent to cyberspace, where private merchant laws, called the lex mercartoria, spontaneously evolved to govern cross-border commerce contracts in the absence of formalized laws (Leeson & Boettke, 2009: 255). In this case, cybersecurity rules emerged to govern cross-firm, inter-industry, and international threat information sharing due to limitations with public protection measures. Cybersecurity entrepreneurs helped to produce and enforce informal institutions that internalize information sharing externalities so that cybersecurity outcomes improve.

Commercial entities played a significant role in the establishment of information sharing and analysis centers (ISACs), whose primary functions are collecting, analyzing, and transmitting threat information among members (Choucri et al., 2016: 17). Though the Clinton administration “encouraged” the private sector to establish a threat sharing organization that would interface with the government (Moteff, 2009: 7), businesses generated more than a dozen industry-level organizations “organically” (Zheng & Lewis, 2015: 2). Industry based ISACs spontaneously emerged due to shared interests from common threats (Bromiley, 2016: 8). The most prolific ISACs, like the Financial Services ISAC (FS-ISAC) and the Information Technology ISAC (IT-ISAC), established their own data sharing operations and were self-supporting (Moteff, 2009: 22–23). The individual ISACs subsequently formed an ISAC Council as an umbrella organization to coordinate sharing across industries (Moteff, 2009: 23).

ISACs employ rules that are representative of voluntary organizations that successfully internalize externalities. The rules are the means by which incentive structures are modified (Ostrom, 1986: 6) so that members internalize the positive externalities of sharing cyber threat information. As an exemplar, the FS-ISAC has tiered membership with boundary and information rules that detail entry, exit, and data handling requirements. Statistics on threats shared among ISAC members are withheld from all non-members in order to “maintain high levels of trust among its members” (Choucri et al., 2016: 17). Data exchange must follow a traffic light pattern (TLP) framework, which communicates data classifications and associated data control requirements to ensure that the threats are maximally shared among members, subject to the sensitivity of the information. As an example, members must sanitize company identifiable information for relatively sensitive data so that reputational and business operational concerns are minimized.

ISACC membership also entails payoff rules, which designate rewards or punishment based on member actions or outcomes (Ostrom, 2005: 834). The primary rewards of membership are receiving timely threat information from other members. Membership is also tiered to incentivize maximal data sharing. Higher tiered members receive timelier and higher quality information regarding current cyber threats and security incidents, thereby reducing the risks of a costly cyber-attack (Clarke & Knake, 2019: 59–60).

As evidence of institutional efficiency, FS-ISAC modified its charter in 2013 to include financial services worldwide and its membership now extends to “affiliate members” that are indirectly associated with financial service businesses (Choucri et al., 2016: 16). Today, the FS-ISAC reports more than 22,000 active users from 75 countries and total membership firm valuation exceeding $100 trillion. Overall, the ISACs are viewed as “important venues for cyber threat information sharing” (Zheng & Lewis 2015: 2), with McCarthy et al. (2014: 2) citing their longevity and the introduction of new ISACs across most industries as further indicators of success.

The information institutions of ISACs and other voluntary cyber data sharing organizations certainly are not perfect. A member’s decision to share threat information is voluntary. Liu et al. (2014: 6) believe that voluntary sharing policies allow incentive misalignment to persist due to freeriding, leading to a low information sharing equilibrium. Moreover, not all firms within an industry are members of their respective ISAC, so data sharing is not comprehensive. Nevertheless, the market process also motivated information sharing innovation that addressed the purported market failure claims.

For example, private sector companies supplanted the government as major contributors to incident response organizations, like FIRST. A voluntary affiliation with these organizations requires some level of investment in company resources, which is only rational if a firm believed threat sharing would reduce the reputational and operational losses from cyber-attacks. The financial risks of cyber-attacks seemingly motivated alert entrepreneurs to join. By 1996, nearly 40% of the members were private sector companies, making commercial companies the largest represented sector (Slayton & Clarke, 2020: 186). Today, FIRST is comprised of over 100 U.S. based response teams and nearly 85% are private companies.

Given the lure of profits to improve cybersecurity for business and individual consumers, alert entrepreneurs also started new firms with novel information sharing capabilities. Slayton and Clarke (2020:186–187) find that the growth of the Internet and its associated risks resulted in increasing preferences for cyber incident response services that were satiated by a rapidly increasing private sector. Entrepreneurs created a new industry segment, called managed security service providers (MSSPs), that produce innovative capabilities to pool information from multiple clients in order to improve the detection of novel and correlated cyber risks (Benaroch, 2020: 316). Firms like Trend Micro, FireEye, and Sophos, harness cutting edge technologies to collect information on new attacks and sell real-time feeds of this data to their customers (Ring, 2014: 6). As one specific example, MSSPs created innovative intelligence sharing services that push relevant security information to their cloud servers in real time so that their customers remain secure (Clarke & Knake, 2019: 60). Most importantly, MSSPs “cross the last mile” by updating their networks to protect against newly identified threats, thereby reducing the likelihood and consequences of an attack (Douris, 2017: 9–10).

MSSP information sharing collaboration provides one final instance of alert entrepreneurial activity through economic organization. As noted above, sharing improves cybersecurity outcomes by reducing the ability of hackers to reuse vulnerabilities, but public–private partnerships usually experienced trust and freeriding limitations. Four prominent MSSPs, McAfee, Symantec, Palo Alto, and Fortinet, created the Cyber Threat Alliance (CTA) in 2014 with membership requirements that overcame these limitations. Like ISACs, CTA membership established rules to internalize positive externalities. As one example, the members must anonymize sensitive information about a business or customers, which enables trust in handling and exchanging data. Unlike other sharing organizations, the CTA also mandates minimum data sharing requirements, where each member must submit at least one thousand unique pieces of threat data per day (Clarke & Knake, 2019: 61). Unique payoff rules help ensure that the exchanged data is high quality content. Each member’s submissions are scored by other members and the average submission must stay above a minimum threshold for a member to stay in good standing. Thus, CTA’s organizational innovation with mandatory sharing and quality reviews minimizes free riding concerns.

Effectiveness is measured, in part, by CTA’s institutional evolution, the number of organizations participating in the CTA, and data sharing statistics. The CTA became an independent, non-profit in 2017 due to the agreement’s success and the desire to scale the efforts through investment in dedicated staff and a data sharing technology platform. The number of participating organizations has meaningfully increased from the founding four companies to 36 active members as of 2023 (CTA 2023). Moreover, data sharing of cyber threats proliferates. Members collectively shared 11 million indicators (e.g. files, domain names, addresses, etc.) per month in 2022 (CTA 2023), which nearly triples the four million indicators shared per month in 2018 (Clarke & Knake, 2019: 61).

Thus, cybersecurity organizational innovations are solving disequilibria associated with data sharing externalities. The institutional entrepreneurs that established ISACs and the CTA defined governance mechanisms that improved the security of cyber space and provided a “protective tier” (Leeson & Boettke, 2009: 253) for continued IT innovation. Guided by market forces, entrepreneurs also created new businesses and modified their organizations to improve the quality and quantity of threat information sharing. Contrary to a market with limited vulnerability sharing, Sauerwein et al. (2017: 837) comment that businesses today demonstrate a disposition towards data sharing related to “vulnerabilities, threats, incidents, and mitigation strategies in order to collectively protect against today’s sophisticated cyber-attacks.” A sizable body of research is now dedicated to cyber threat information sharing, due to the motivations of many organizations to proactively communicate and work together (Wagner et al., 2019: 10).

This section applied price theory and the market process to evaluate the speed, accuracy, and extent to which cybersecurity entrepreneurs resolve disequilibria across three use cases. Entrepreneurial discovery is successfully equilibrating the underlying market variables of tastes and technologies with revised prices and associated profit and losses in the market (Boettke, 2002: 270). IT innovation has significantly increased the costs of data breaches and consumer preferences for security have sharply risen. Alert entrepreneurs have responded to these profit opportunities with innovative software production processes (e.g. software patching), products (e.g. authentication end-items), and institutional organizations (e.g. vulnerability sharing syndicates). These findings are profound because they contradict the conventional wisdom that the market fails and requires regulation. The cybersecurity market is not one of static disequilibria that is constantly failing in a technical welfare sense, but one that is producing higher quality cybersecurity and moving towards greater efficiency over time.

5 Conclusion

Cyber insecurity certainly exists, but not due to a persistent underinvestment in security or lack of information sharing across all products and services. The existence of a cyber issue is not evidence that the market is unable to self-regulate because consumer preferences for security are highly dependent upon competing product characteristics and the data’s intrinsic value. Entrepreneurs, in fact, invest more significantly in self-regulating mechanisms where the data is higher valued, such as the payment processing industry. Moreover, all markets are imperfect due to persistent change and complexities. The cybersecurity market is particularly challenging due to innate vulnerabilities, innovative hackers, and rapid IT advancements.

Therefore, an accurate assessment of market failure ought to also focus on the speed, degree, and extent to which departures from the equilibrium state are solved. Guided by the market process, entrepreneurs have pierced through the veil of ignorance to pioneer cybersecurity solutions that respond to current and emergent threats, new technologies, and changing consumer preferences. Contrary to the common claims of rampant and persistent market failure, my research finds that in today’s market, many IT products possess substantially improved cybersecurity quality and many organizations proactively share threat data.

The private sector cybersecurity entrepreneur is relatively successful; however, entrepreneurial activity extends to government and non-profit organizations that provide both overlapping and unique outputs. MITRE is a federally funded research and development center that has created frameworks to standardize how cybersecurity information is shared. The Department of Defense publishes a recurring cybersecurity policy, which asserts that the agency will defend forward to protect against sophisticated state sponsored cybersecurity threats. As an example, the National Security Agency will engage in offensive cyber warfare using known vulnerabilities to exploit adversary systems (Clarke & Knake, 2019: 21–23). Additional research into the extent and ability of these non-market entrepreneurs to coordinate and secure cyberspace under alternative institutional arrangements is needed. Yerger (2023), for example, conducts several case studies of purported public sector innovation and finds mixed evidence that government institutions offer sufficient conditions to foster innovation.

In conclusion, a comprehensive examination of the cybersecurity innovative activities across all organizations is necessary, so that society understands the institutions that best promote a safe and well-functioning cyberspace. This paper fundamentally asserts that private businesses acting within market institutions create new solutions to highly complex IT security challenges. My research suggests that the cybersecurity community ought to use an economics lens to comparatively assess institutional efficacy as a dynamic process rather than a static one. I believe stakeholders will have a greater appreciation for the tremendous amount of entrepreneurial innovation in this market if they change their inquiry from, “did a failure occur?” to “was the problem fixed?”.