My research broadly falls under the field of applied microeconomics. Currently, I am focused on the economics of information and privacy, with a particular interest on cybercrime. Previously, I have worked on issues related to tax and transfer programs.
The Effects of Privacy Regulation on the Supply of Stolen Data
Individuals are constantly generating streams of data collected by businesses, educational institutions, data brokers, and many other organizations. These organizations are regularly targeted by cyber criminals attempting to steal that data in order to exploit or sell it in online markets. In this paper I propose a model of the stolen data economy to show how privacy regulations may affect the market. I then introduce a novel dataset of data breaches to study the effects of the European Union's General Data Protection Regulation (GDPR), a policy governing the collection and storage of user data, on the quantity of data available in the illicit market. Using a difference-in-differences design, I find that the GDPR caused a 60 percent reduction in the number of data breaches traded, but no reduction in the aggregate amount of data available. Analyzing the contents of the individual breaches, I find a nearly 70 percent increase in the amount of data they contain. These results are consistent with the model's prediction that low-value hacking targets becoming disproportionally less valuable after the GDPR, which in turn causes higher-value targets to make up a larger portion of post-GDPR data breaches.
Stock Market Reactions to Cybersecurity Incident Disclosures
New York Times: Tax Bill Calculator: Will Your Taxes Go Up or Down?