Firm-level Resource Allocation to Information Security in the Presence of Financial Distress

In this paper, we adopt an organizational perspective to the management of information security and analyze in a multi-period context how an organization should allocate its internal cash flows and available external funds to revenuegenerating (productive) and security assuring (protective) processes in the presence of security breach, borrowing and financial distress costs. We show analytically and illustrate numerically that the capital stock accumulation is lower and allocations to security are higher in the initial periods compared to the benchmark (no security breach) case, while in the long run, the steady state allocations do not differ. Further, we show that external insurance can be beneficial to both the firm and the provider and examine the cost parameters that affect the feasibility range. The results highlight the importance of resource allocation and insurance at the organizational level in addressing security breach problems and enable managers to seek and use relevant information effectively.

[1]  J. Kesan,et al.  The Economic Case for Cyberinsurance , 2004 .

[2]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[3]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[4]  Nancy L. Stokey,et al.  Recursive methods in economic dynamics , 1989 .

[5]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[6]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[7]  John Rust,et al.  How Social Security and Medicare affect retirement behavior in a world of incomplete markets , 1994 .

[8]  Stephen J. Lukasik,et al.  Protecting the global information commons , 2000 .

[9]  Marc Lelarge,et al.  Cyber Insurance as an Incentivefor Internet Security , 2009, Managing Information Risk and the Economics of Security.

[10]  Rachel Rue,et al.  A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making , 2007, WEIS.

[11]  R. Power CSI/FBI computer crime and security survey , 2001 .

[12]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[13]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[14]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.