More Web Proxy on the site http://driver.im/

research-article

Allocation of resources to cyber-security

Authors:

Giri Kumar TayiAuthors Info & Claims

Decision Support Systems, Volume 75, Issue C

Pages 49 - 62

https://doi.org/10.1016/j.dss.2015.04.011

Published: 01 July 2015 Publication History

Abstract

Cyber-security is increasingly seen as an important determinant of firm-specific financial risk. Agency theory suggests that managers and investors have different preferences over such risk because investors can diversity their capital over different firms to reduce firm-specific risk but managers cannot diversify their investment of human capital in their firm. Therefore managers face greater personal cost of financial distress during their limited tenure. We develop an analytical model for optimally allocating investments to general productive assets and specific cyber-security assets incorporating costs of security breaches, borrowing and financial distress. We note that investment in productive assets can generate cash flows that allow the firm to better withstand security threats in the long run but investment in specific security-enhancing assets reduce security breaches in short run while leaving the firm's finances vulnerable over a longer period. Using our model, we show that managers over-invest in specific security-enhancing assets to reduce security breaches during their tenure. We then incorporate cyber-insurance in our model and show that it has the effect of reducing managers' over-investment in specific security-enhancing assets. Unlike investors, managers have limited tenure and cannot diversify their human capital investment in a firm resulting in misalignment of interest.The risks of security threats and consequent financial distress costs are therefore viewed differently by managers and investors.We use model the effect of differential incentives between managers and investors on cyber-security fund allocation.We find thatmanagers over-invest in security to reduce breaches during their tenure.We also show that cyber-insurance is feasible and serves to reduce the adverse consequences of misalignment of interests.

References

[1]

H. Almeida, T. Philippon, The risk adjusted cost of financial distress, Journal of Finance, LXII (2007) 2557-2586.

[2]

T. Bandyopadhyay, V.S. Mookerjee, R.C. Rao, Why IT managers don't go for cyber-insurance products, Communication of the ACM, 52 (2009) 68-73.

Digital Library

[3]

Betterley Report, Cyberrisk Market Syrvey. http://www.betterley.com

[4]

S. Bhojraj, R. Libby, Capital market pressure, disclosure frequency-induced earnings/cash flow conflict, and managerial myopia, The Accounting Review, 80 (2005) 1.

[5]

R. Bohme, G. Schwartz, Modeling cyber-insurance: towards a unifying frame-work, in: Workshop on the Economics of Information Security (WEIS), Harvard, June 2010.

[6]

R. Bohme, Security metrics and security investment models, in: Advances in Information and Computer Security (IWSEC 2010), LNCS 6434, Springer-Verlag, Berlin Heidelberg, 2010, pp. 10-24.

Digital Library

[7]

R. Böhme, Cyber-insurance revisited, in: Workshop on the Economics of Information Security (WEIS), Harvard, 2005.

[8]

J. Bolot, M. LeLarge, Cyber insurance as an incentive for internet security, in: Paper Read At Workshop In Economics Of Information Security (WEIS) At Hanover, NH, 2008.

[9]

B.J. Bushee, The influence of institutional investors on myopic R&D investment behavior, The Accounting Review, 73 (1998) 305.

[10]

H. Cavusoglu, B. Mishra, S. Raghunathan, The value of intrusion detection systems in information technology security architecture, Information Systems Research, 16 (2005) 28.

Digital Library

[11]

H. Cavusoglu, H. Cavusoglu, J. Zhang, Security Patch Management: Share the Burden or Share the Damage?, Management Science, 54 (2008) 657-670.

Digital Library

[12]

H. Cavusoglu, S. Raghunathan, H. Cavusoglu, Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems, Information Systems Research, 20 (2009) 198-217.

Digital Library

[13]

M. Cerullo, V. Cerullo, Threat assessment and security measures justification for advanced IT networks, Information Systems Control Journal, 1 (2005) 1-9.

[14]

D. Chinn, J. Kaplan, A. Weinberg, Risk And Responsibility In A Hyper-Connected World: Implications For Enterprises Insights And Publications, McKinsey & Company, 2014.

[15]

L.A. Gordon, M.P. Loeb, T. Sohail, A framework for using insurance for cyber-risk management, Association For Computing Machinery. Communications Of The ACM, 46 (2003) 81.

Digital Library

[16]

L. Gordon, M.P. Loeb, The economics of information security investment, ACM Transactions of Information Systems Security, 5 (2002) 438-457.

Digital Library

[17]

O. Hart, Corporate governance: some theory and implications, The Economic Journal, 105 (1995) 678-689.

[18]

K. Hausken, Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability, Information Systems Frontiers, 8 (2006) 338.

Digital Library

[19]

H. Herath, T. Herath, Copula based actuarial model for pricing cyber, Insurance Policies Insurance Markets and Companies: Analyses and Actuarial Computations, 2 (2011).

[20]

J.P. Kesan, P.M. Ruperto, J.Y. Willam, The economic case for cyberinsurance, in: Working Paper Series No. Paper No. LE04-004, Illinois Law and Economics, 2004.

[21]

J.P. Kesan, R. Majuca, Cyberinsurance as a market-based solution to the problem of cybersecurity: a case study, in: Fourth Workshop on the Economics of Information Security (WEIS), Harvard, 2005.

[22]

J.P. Kesan, R.P. Majuca, W.J. Yurcik, The Economic Case for Cyberinsurance, in: Securing Privacy in the Internet Age, Stanford University Press, 2005.

[23]

Christian Kleiber, Samuel Kotz, Statistical Size Distributions in Economics and Actuarial Sciences, Wiley, 2003.

[24]

V. Kumar, R. Telang, T. Mukhopadhyay, Optimally securing interconnected information systems and assets, in: Paper read At Workshop In Economics Of Information Security (WEIS), At Pittsburgh, PA, 2007.

[25]

S.J. Lubben, The direct costs of corporate reorganization: an empirical examination of professional fees in large chapter 11 cases, American Bankruptcy Law Journal, 509 (2000) 508-552.

[26]

R. Mookerjee, V. Mookerjee, Wei T. Yue, A. Bensoussan, Managing information security under continuous drift and sudden shocks, in: Proceedings of CIST 2011, November 12-13 2011.

[27]

V. Mookerjee, R. Mookerjee, A. Bensoussan, W.T. Yue, When hackers talk: managing information security under variable attack rates and knowledge dissemination, Information Systems Research, 22 (September 2011) 606-623.

Digital Library

[28]

A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti, S.K. Sadhukhan, Cyber-risk decision models: to insure IT or not?, Decision Support Systems, 56 (December 2013) 11-26.

Digital Library

[29]

C. Newman, D. Stein, Cyberattacks a huge threat to start-ups, and their investors, New York Times (April 19 2013).

[30]

H. Ögüt, S. Raghunathan, N. Menon, Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection, Risk Analysis, 31 (2010) 497-512.

[31]

H. Ogut, S. Raghunathan, N. Menon, Cyber Insurance and IT security investment: impact of interdependent risk, in: Paper read At Workshop In Economics of Information Security (WEIS), Harvard University, Boston, MA, 2005.

[32]

J. Ronen, J. Tzur, V.L. Yaari, The effect of directors' equity incentives on earnings management, Journal of Accounting and Public Policy, 25 (2006) 359.

[33]

S. Ross, R. Westerfield, J. Jaffe, B.D. Jordan, Modern Financial Management, Mc-Graw Hill, 2008.

[34]

R. Rue, S.L. Pfleeger, D. Ortiz, A framework for classifying and comparing models of cyber security investment to support policy and decision making, in: Paper read at Workshop in Economics of Information Security (WEIS), at Pittsburgh, PA, 2007.

[35]

J. Rust, C. Phelan, How social security and medicare affect retirement behavior in a world of incomplete markets, Econometrica, 65 (1997) 781.

[36]

G. Smith, Hackers Cost U.S. Economy up to 500,000 Jobs Each Year, Study Finds. http://www.huffingtonpost.com/2013/07/25/hackers-jobs_n_3652893.html

[37]

J.C. Stein, Takeover threats and managerial myopia, The Journal of Political Economy, 96 (1988) 61.

[38]

J.C. Stein, Efficient capital markets, inefficient firms: a model of myopic corporate behavior, Quarterly Journal of Economics, 104 (1989) 655-669.

[39]

N.L. Stokey, R.E. Lucas, E.C. Prescott, Recursive Methods In Economic Dynamics, Harvard University Press, Boston, 1989.

[40]

P. Taylor, Data breaches: heart of world business faces hidden and wily enemy, Financial Times (June 07 2013).

[41]

J.W. Ulvila, J.E. Gaffney, A decision analysis method for evaluating computer intrusion detection systems, Decision Analysis, 1 (2004) 35-50.

Digital Library

[42]

P. Weill, J. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, HBS Press, Boston, MA, 2004.

[43]

W. Yue, M. Cakanyildirim, Intrusion prevention in information systems: reactive and proactive response, Journal of Management Information Systems, 24 (2007) 329-353.

Digital Library

Cited By

Khan AZaib SAlanazi MHabib S(2024)Identification and prioritization of the challenges faced by vendor organizations in the shape of cyber securityJournal of Software: Evolution and Process10.1002/smr.271736:12Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1002/smr.2717
Pal RSequeira RZhu YMarotta ASiegel MHua E(2023)How Suboptimal is Work-From-Home Security in IT/ICS Enterprises? A Strategic Organizational Theory for ManagersACM Transactions on Management Information Systems10.1145/3579645Online publication date: 15-Feb-2023
https://dl.acm.org/doi/10.1145/3579645
Kayan HNunes MRana OBurnap PPerera C(2022)Cybersecurity of Industrial Cyber-Physical Systems: A ReviewACM Computing Surveys10.1145/351041054:11s(1-35)Online publication date: 9-Sep-2022
https://dl.acm.org/doi/10.1145/3510410
Show More Cited By

Allocation of resources to cyber-security
1. Applied computing
  1. Enterprise computing

Recommendations

Asset Management and Financial Conglomerates: Attention Through Stellar Funds

This paper provides evidence that stock returns of a financial conglomerate are affected by how successful certain funds of its asset-management division are. The results indicate a spillover effect between management companies with top-performing funds ...
Get in Line: Chapter 11 Restructuring in Crowded Bankruptcy Courts

Bankruptcy costs depend not only on the laws that govern financial distress but also on the ability of the court to rehabilitate distressed firms. This paper tests whether Chapter 11 restructuring outcomes are affected by time constraints in busy ...
A proposed corporate distress and recovery prediction score based on financial and economic components
Highlights
- We propose a new corporate distress and recovery prediction score, the FL-Score.
Abstract
This paper provides a new approach to developing a firm's distress and recovery prediction score. This score was designated the FL-Score and was structured from the interaction between financial and economic components. The tests were ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Decision Support Systems

Decision Support Systems Volume 75, Issue C

July 2015

76 pages

ISSN:0167-9236

Issue’s Table of Contents

Copyright © Elsevier B.V.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 01 July 2015

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Khan AZaib SAlanazi MHabib S(2024)Identification and prioritization of the challenges faced by vendor organizations in the shape of cyber securityJournal of Software: Evolution and Process10.1002/smr.271736:12Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1002/smr.2717
Pal RSequeira RZhu YMarotta ASiegel MHua E(2023)How Suboptimal is Work-From-Home Security in IT/ICS Enterprises? A Strategic Organizational Theory for ManagersACM Transactions on Management Information Systems10.1145/3579645Online publication date: 15-Feb-2023
https://dl.acm.org/doi/10.1145/3579645
Kayan HNunes MRana OBurnap PPerera C(2022)Cybersecurity of Industrial Cyber-Physical Systems: A ReviewACM Computing Surveys10.1145/351041054:11s(1-35)Online publication date: 9-Sep-2022
https://dl.acm.org/doi/10.1145/3510410
Qian XPei JLiu XZhou MPardalos P(2019)Information security decisions for two firms in a market with different types of customersJournal of Combinatorial Optimization10.1007/s10878-019-00446-638:4(1263-1285)Online publication date: 1-Nov-2019
https://dl.acm.org/doi/10.1007/s10878-019-00446-6
Benaroch M(2018)Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision MakingInformation Systems Research10.1287/isre.2017.071429:2(315-340)Online publication date: 1-Jun-2018
https://dl.acm.org/doi/10.1287/isre.2017.0714
Maymí FThomson R(2018)Human-Machine Teaming and CyberspaceAugmented Cognition: Intelligent Technologies10.1007/978-3-319-91470-1_25(299-315)Online publication date: 15-Jul-2018
https://dl.acm.org/doi/10.1007/978-3-319-91470-1_25
Bordoff SChen QYan Z(2017)Cyber Attacks, Contributing Factors, and Tackling StrategiesInternational Journal of Cyber Behavior, Psychology and Learning10.4018/IJCBPL.20171001067:4(68-82)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.4018/IJCBPL.2017100106
Schatz DBashroush R(2017)Economic valuation for information security investmentInformation Systems Frontiers10.1007/s10796-016-9648-819:5(1205-1228)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1007/s10796-016-9648-8
Fielder APanaousis EMalacaria PHankin CSmeraldi F(2016)Decision support approaches for cyber security investmentDecision Support Systems10.1016/j.dss.2016.02.01286:C(13-23)Online publication date: 1-Jun-2016
https://dl.acm.org/doi/10.1016/j.dss.2016.02.012

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents