• Vulnerabilities, Cybersecurity, and the Role of Law and Regulation herein
  • Jiang, Jian <1976>


  • SECS-P/03 Scienza delle finanze


  • Nowadays, it is not difficult to conjure up images of hacked power plants, remote-hijacked public transportation systems, etc. By exploiting hidden vulnerabilities, hackers are plundering business secrets, stealing digital consumers’ records, and trying to reshape the world inconspicuously. Most of society lacks awareness of software vulnerabilities. Software vendors seem unlikely to discuss flaws in their products publicly, and the related markets of vulnerabilities are often opaque. This thesis tries to introduce its readers to a structured discussion and analysis of software vulnerabilities vis-à-vis the challenges of cyberattacks. This thesis focuses on an analysis of software vulnerabilities and their relevance to cybersecurity from an economic perspective, and it discusses the role of law and regulation designed to address problems of vulnerabilities and cybersecurity utilizing the law and economics approach. A software vulnerability has its intrinsic value and a life cycle. There are people who search for these vulnerabilities - the bug hunters, and there are three markets for vulnerabilities - white, grey, and black. The assumption of profit maximization in traditional economics also applies to bug hunters. Moreover, this thesis finds that the nature of the white market vis-à-vis the grey or black market is much more competitive. Among the factors that influence the price level of a software vulnerability in the black market, the bounty price (white market price) is particularly worthy of attention. This thesis finds that the practice of governments to retain vulnerabilities is acceptable in the short run for the purpose of legal enforcement or intelligence, given the advanced encryption and anonymization technologies used by criminals. However, in the long run, government agencies should avoid vulnerability transactions. Furthermore, government agencies should give the utmost attention to how to protect their vulnerability stockpiles from being stolen. The empirical results of this thesis prove that a market failure exists at least to some extent in relation to vulnerabilities. There was no significant market pressure upon the software vendor even when the software had been proved seriously risky by a severe cyberattack. Possible avenues to correct this market failure could be found in private law, administrative law, or 2 other means of central intervention. This thesis advocates a solution of jointly using liability rules and safety regulation backed by a public fine (regulation backed by an administrative fine) for the harm caused by a vulnerability. More details are provided by means of an economic model. It is a combination of torts and regulation (ex-ante and ex-post), which is in line with the suggestions made in Shavell (1984), and Faure, Visscher & Weber (2016).


  • 2021-11-11
  • info:eu-repo/date/embargoEnd/2024-11-11


  • Doctoral Thesis
  • PeerReviewed


  • application/pdf



Jiang, Jian (2021) Vulnerabilities, Cybersecurity, and the Role of Law and Regulation herein, [Dissertation thesis], Alma Mater Studiorum Università di Bologna. Dottorato di ricerca in European doctorate in law and economics