Economies and societies are increasingly reliant upon “smart products” that contain code and can connect to one another, e.g. through the Internet. Recent cyber-attacks such as Mirai, WannaCry, NotPetya and SolarWinds have underlined that the exploitation of vulnerabilities in smart products can have severe economic and social consequences. Such attacks increasingly threaten users’ safety and well-being, as well. This report shows that economic factors play an important role in the relative “insecurity” of smart products. It develops an analytical framework based on the value chain and lifecycle of smart products, and applies the framework to three case studies: computers and smartphones, consumer Internet of Things (IoT) devices and cloud services. It demonstrates that complex and opaque value chains lead to a misallocation of responsibility for digital security risk management, while significant information asymmetries and externalities often limit stakeholders’ ability to behave optimally.