Some policy analysts seem willing to infer a market failure any time they observe an externality. This inference is a colossal error. Despite the close relationship between externalities and market failure, the observation of an externality is not sufficient to infer a market failure.
This paper is devoted to the rectification of this error, with specific application to cybersecurity policy. The first half of the paper presents several reasons, supported by the economic literature, why externalities are insufficient for the inference of market failure. The second half of the paper applies these arguments to areas of cybersecurity policy in which it has been claimed that markets have failed and government intervention is therefore necessary.
This paper finds that alleged cybersecurity market failures are, at a minimum, much smaller than they at first appear and, consequently, that attempts to correct them through naïve government regulation run the serious risk of doing more harm than good.