City Research Online

An Options Approach to Cybersecurity Investment

Chronopoulos, M., Panaousis, E. & Grossklags, J. (2018). An Options Approach to Cybersecurity Investment. IEEE Access, 6, pp. 12175-12186. doi: 10.1109/access.2017.2773366

Abstract

Cybersecurity has become a key factor that determines the success or failure of companies that rely on information systems. Therefore, investment in cybersecurity is an important financial and operational decision. Typical information technology investments aim to create value, whereas cybersecurity investments aim to minimize loss incurred by cyber attacks. Admittedly, cybersecurity investment has become an increasingly complex one, since information systems are typically subject to frequent attacks, whose arrival and impact fluctuate stochastically. Furthermore, cybersecurity measures and improvements, such as patches, become available at random points in time making investment decisions even more challenging. We propose and develop an analytical real options framework that incorporates major components relevant to cybersecurity practice, and analyze how optimal cybersecurity investment decisions perform for a private firm. The novelty of this paper is that it provides analytical solutions that lend themselves to intuitive interpretations regarding the effect of timing and cybersecurity risk on investment behavior using real options theory. Such aspects are frequently not implemented within economic models that support policy initiatives. However, if these are not properly understood, security controls will not be properly set resulting in a dynamic inefficiency reflected in cycles of over or under investment, and, in turn, increased cybersecurity risk following corrective policy actions. Results indicate that greater uncertainty over the cost of cybersecurity attacks raises the value of an embedded option to invest in cybersecurity. This increases the incentive to suspend operations temporarily in order to install a cybersecurity patch that will make the firm more resilient to cybersecurity breaches. Similarly, greater likelihood associated with the availability of a cybersecurity patch increases the value of the option to invest in cybersecurity. However, the absence of an embedded investment option increases the incentive to delay the permanent abandonment of the company’s operation due to the irreversible nature of the decision.

Publication Type: Article
Additional Information: © 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Publisher Keywords: Investment, Uncertainty, Organizations, Timing, Cybersecurity; investment analysis; real options
Subjects: H Social Sciences > HD Industries. Land use. Labor > HD61 Risk Management
H Social Sciences > HG Finance
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: Bayes Business School > Actuarial Science & Insurance
SWORD Depositor:
[thumbnail of options approach to cybersecurity.pdf]
Preview
Text - Accepted Version
Download (4MB) | Preview

Export

Add to AnyAdd to TwitterAdd to FacebookAdd to LinkedinAdd to PinterestAdd to Email

Downloads

Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login