The increasing use of information technology in daily life raises issues on information security for governments and organisations. To increase the level of security in a country, policy makers often propose regulations to control certain kinds of behaviour. However, the necessity and effectiveness of these regulations are often questioned. In this thesis, I examine regulations on security service market and countrywide security operations. In particular, the issues of misaligned incentive and information asymmetry are analysed for the security service market, and the result suggested self-regulation can solve the issue of misaligned incentive, and government intervention is needed to solve the issue of information asymmetry. For the regulations on countrywide security operations, I study the effectiveness of mandatory use of security software and incident notification using China as the subject of natural experiment, and the result suggested both approaches can reduce cyberattack initiated from China significantly.

Abstract Only