Skip navigation

An options approach to cybersecurity investment

An options approach to cybersecurity investment

Chronopoulos, Michail, Panaousis, Emmanouil ORCID: 0000-0001-7306-4062 and Grossklags, Jens (2017) An options approach to cybersecurity investment. IEEE Access, 6. pp. 12175-12186. ISSN 2169-3536 (Online) (doi:https://doi.org/10.1109/ACCESS.2017.2773366)

[img]
Preview
PDF (Publisher's PDF - Open Access)
24378 PANAOUSIS_Options_Approach_Cybersecurity_Investment_(OA)_2017.pdf - Published Version
Available under License Creative Commons Attribution.

Download (1MB) | Preview

Abstract

Cybersecurity has become a key factor that determines the success or failure of companies that rely on information systems. Therefore, investment in cybersecurity is an important financial and operational decision. Typical information technology investments aim to create value, whereas cybersecurity investments aim to minimize loss incurred by cyber attacks. Admittedly, cybersecurity investment has become an increasingly complex one, since information systems are typically subject to frequent attacks, whose arrival and impact fluctuate stochastically. Furthermore, cybersecurity measures and improvements, such as patches, become available at random points in time making investment decisions even more challenging. We propose and develop an analytical real options framework that incorporates major components relevant to cybersecurity practice, and analyze how optimal cybersecurity investment decisions perform for a private firm. The novelty of this paper is that it provides analytical solutions that lend themselves to intuitive interpretations regarding the effect of timing and cybersecurity risk on investment behavior using real options theory. Such aspects are frequently not implemented within economic models that support policy initiatives. However, if these are not properly understood, security controls will not be properly set resulting in a dynamic inefficiency reflected in cycles of over or under investment, and, in turn, increased cybersecurity risk following corrective policy actions. Results indicate that greater uncertainty over the cost of cybersecurity attacks raises the value of an embedded option to invest in cybersecurity. This increases the incentive to suspend operations temporarily in order to install a cybersecurity patch that will make the firm more resilient to cybersecurity breaches. Similarly, greater likelihood associated with the availability of a cybersecurity patch increases the value of the option to invest in cybersecurity. However, the absence of an embedded investment option increases the incentive to delay the permanent abandonment of the company’s operation due to the irreversible nature of the decision.

Item Type: Article
Uncontrolled Keywords: security, economics
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC)
Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Faculty of Engineering & Science
Last Modified: 04 Mar 2022 13:07
URI: http://gala.gre.ac.uk/id/eprint/24378

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics