Increasing Cybersecurity Investments in Private Sector Firms

The primary objective of this article is to develop an economics-based analytical framework for assessing the impact of government incentives/regulations designed to offset the tendency to underinvest in cybersecurity related activities by private sector firms. The analysis provided in the article shows that the potential for government incentives/regulations to increase cybersecurity investments by private sector firms is dependent on the following two fundamental issues: (i) whether or not firms are utilizing the optimal mix of inputs to cybersecurity, and (ii) whether or not firms are able, and willing, to increase their investments in cybersecurity activities. The implications of these findings are also discussed in this article, as well as a formal analysis of these implications. In addition, this article provides a discussion of existing actions by the US federal government that should be more effectively utilized before, or at least in conjunction with, considering new government incentives/regulations for increasing cybersecurity investments by private sector firms.

[1]  Lawrence A. Gordon,et al.  The impact of information sharing on cybersecurity underinvestment: A real options perspective , 2015 .

[2]  Robert Gyenes A Voluntary Cybersecurity Framework Is Unworkable- Government Must Crack the Whip , 2014 .

[3]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[4]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[5]  Lei Zhou,et al.  Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model , 2015 .

[6]  Xiaolin Li,et al.  A Real Options Model for Generalized Meta-Staged Projects - Valuing the Migration to SOA , 2013, Inf. Syst. Res..

[7]  Steven Shavell,et al.  A MODEL OF THE OPTIMAL USE OF LIABILITY AND SAFETY REGULATION , 1984 .

[8]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[9]  Maia Daneva,et al.  Applying Real Options Thinking to Information Security in Networked Organizations , 2006 .

[10]  Johannes M. Bauer,et al.  Cybersecurity: Stakeholder incentives, externalities, and policy options , 2009 .

[11]  Manfred Kochen,et al.  On the economics of information , 1972, J. Am. Soc. Inf. Sci..

[12]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[13]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[14]  Kanta Matsuura,et al.  The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market , 2006 .

[15]  M. Peitz,et al.  The Oxford Handbook of the Digital Economy , 2012 .

[16]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[17]  Alessandro Acquisti,et al.  Do data breach disclosure laws reduce identity theft?: Do Data Breach Disclosure Laws Reduce Identity Theft? , 2011 .

[18]  Marc Lelarge Inria Coordination in Network Security Games: a Monotone Comparative Statics Approach , 2012 .

[19]  Ryan LaFond,et al.  The Effect of SOX Internal Control Deficiencies on Firm Risk and Cost of Equity , 2008 .

[20]  L. J. Camp Pricing Security , 2000 .

[21]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[22]  Barack Obama,et al.  Executive Order 13636: Improving Critical Infrastructure Cybersecurity , 2013 .

[23]  M. Eric Johnson,et al.  Managing Information Risk and the Economics of Security , 2008, Managing Information Risk and the Economics of Security.

[24]  Robert J. Kauffman,et al.  A Case for Using Real Options Pricing Analysis to Evaluate Information Technology Project Investments , 1999, Inf. Syst. Res..

[25]  Tyler Moore,et al.  The economics of cybersecurity: Principles and policy options , 2010, Int. J. Crit. Infrastructure Prot..

[26]  Roger Anderson,et al.  Homeland Security , 2004, Gov. Inf. Q..

[27]  A. Laskin,et al.  Securities And Exchange Commission (SEC) , 2015 .

[28]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[29]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[30]  Ross Anderson,et al.  Internet Security , 2020, The SAGE International Encyclopedia of Mass Media and Society.

[31]  R. McDonald,et al.  The Value of Waiting to Invest , 1982 .

[32]  Feng Gao,et al.  Unintended Consequences of Granting Small Firms Exemptions from Securities Regulation: Evidence from the Sarbanes-Oxley Act , 2008 .

[33]  Daniel Bachlechner,et al.  To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool , 2012, WEIS.

[34]  Makoto Goto,et al.  Optimal Timing of Information Security Investment: A Real Options Approach , 2009, WEIS.

[35]  C. Shapiro Exchange of Cost Information in Oligopoly , 1986 .

[36]  Dov Fried Incentives for Information Production and Disclosure in a Duopolistic Environment , 1984 .

[37]  M. Cropper,et al.  Environmental Economics: A Survey , 1992 .

[38]  X. Vives Trade Association Disclosure Rules, Incentives to Share Information, and Welfare , 1990 .

[39]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[40]  Robert J. Kauffman,et al.  Justifying Electronic Banking Network Expansion Using Real Options Analysis , 2000, MIS Q..

[41]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[42]  Lei Zhou,et al.  The impact of information security breaches: Has there been a downward shift in costs? , 2011, J. Comput. Secur..

[43]  Anat Hovav,et al.  The Impact of Virus Attack Announcements on the Market Value of Firms , 2004, Inf. Secur. J. A Glob. Perspect..

[44]  David J. Pym,et al.  The Need for Public Policy Interventions in Information Security , 2013 .

[45]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[46]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[47]  Lawrence A. Gordon,et al.  An Analysis of Multiple Consecutive Years of Material Weaknesses in Internal Control , 2012 .

[48]  E. Muller,et al.  Research Joint Ventures and R&D Cartels , 1992 .

[49]  H. Sonnenschein,et al.  Fulfilled Expectations Cournot Duopoly with Information Acquisition and Release , 1982 .

[50]  A. Hovav,et al.  The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms , 2003 .

[51]  Yuliy Baryshnikov,et al.  IT Security Investment and Gordon-Loeb's 1/e Rule , 2012, WEIS.

[52]  Eduardo S. Schwartz,et al.  Investment Under Uncertainty. , 1994 .

[53]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[54]  D. Thaw The Efficacy of Cybersecurity Regulation , 2013 .

[55]  Amir Ziv Information Sharing in Oligopoly: The Truth-Telling Problem , 1993 .

[56]  William Lucyshyn,et al.  The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities , 2006 .

[57]  Robert G. Fichman,et al.  Real Options and IT Platform Adoption: Implications for Theory and Practice , 2004, Inf. Syst. Res..

[58]  John Braun,et al.  Internet security , 2001 .

[59]  D. Washington FORM 10-K , 2005 .

[60]  Vernon J. Richardson,et al.  The Consequences of Information Technology Control Weaknesses on Management Information Systems: The Case of Sarbanes-Oxley Internal Control Reports , 2012, MIS Q..

[61]  Nathan Alexander Sales,et al.  Regulating Cyber-Security , 2012 .

[62]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[63]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[64]  E. Gal‐Or,et al.  Information Sharing in Oligopoly , 1985 .

[65]  Jianyi Lin,et al.  Computer crime and security survey , 2002 .

[66]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[67]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[68]  Tyler Moore,et al.  Security Economics and European Policy , 2008, WEIS.

[69]  Cormac Herley,et al.  Sex, Lies and Cyber-Crime Surveys , 2011, WEIS.

[70]  Alision Joyce Kirby Trade associations as information exchange mechanisms , 1985 .

[71]  Alfred Taudes,et al.  Options Analysis of Software Platform Decisions: A Case Study , 2000, MIS Q..

[72]  Martin P. Loeb,et al.  INCENTIVES AND PUBLIC INPUTS , 1975 .