Misaligned incentives in secure software development have long been the focus of research in the economics of security. Product liability, a powerful legal framework in other industries, has been largely ineffective for software products until recent times. However, the rapid regulatory responses to recent global cyberattacks by both the United States and the European Union, together with the (relative) success of the General Data Protection Regulation in defining both duty and standard of care for software vendors, may just enable regulators to use liability to re-align incentives for the benefit of the digital society. Specifically, the recently proposed United States National Cybersecurity Strategy shifts responsibility for cyber incidents back to software vendors. In doing so, the strategy also puts forward the concept of the liability waiver: if a software company voluntarily undergoes and passes an IT security audit, its liability is waived. In this paper, we analyze this audit scenario from the aspect of the software vendor. We propose a mechanism where a software vendor should first undergo a repeated auditing process in each stage of which the vendor decides whether to quit early or stay with additional security investment. We show that the optimal strategy for an opt-in vendor is to never quit; and exert cumulative investments in either "one-and-done" or "incremental" manner. We relate the audit mechanism to a liability waiver insurance policy and revealed its effect on reshaping the vendor's risk perception. We also discuss influence of audit quality on the vendor's incentives and pinpoint that a desirable audit rule should be highly accurate and less strict.

翻译：安全软件开发中的激励错位长期以来一直是安全经济学研究的焦点。产品责任——这一在其他行业中强大的法律框架——直到近期才对软件产品基本无效。然而，美国和欧盟针对近期全球网络攻击的快速监管响应，加上《通用数据保护条例》在界定软件供应商的注意义务与注意标准方面的（相对）成功，可能恰好使监管机构能够利用责任机制重新调整激励措施，以造福数字社会。具体而言，美国近期提出的《国家网络安全战略》将网络事件的责任重新归于软件供应商。同时，该战略还提出了责任豁免的概念：若软件公司自愿接受并通过IT安全审计，则可免除其责任。本文从软件供应商的角度分析了这一审计场景。我们提出一种机制：软件供应商应首先经历一个重复审计过程，在每个阶段中，供应商需决定是提前退出还是继续投入额外安全投资。我们表明，选择加入的供应商的最优策略是永不退出；并以“一次性投入”或“渐进式投入”的方式进行累积投资。我们将审计机制与责任豁免保险政策相关联，并揭示了其重塑供应商风险认知的效果。我们还讨论了审计质量对供应商激励的影响，并指出理想的审计规则应具备高准确性和较低的严格性。