Valuing the flexibility of investing in security process innovations

In this paper, we develop a decision model of a firm's optimal strategy for investment in security process innovations (SPIs) when confronted with a sequence of malicious attacks. The model incorporates real options as a methodology to capture the flexibility embedded in such investment decisions. SPIs, when seamlessly integrated with the organization's overall business dynamics, induce organizational learning and provide the flexibility of switching to more suitable technologies as the environment of malicious attacks changes. The theoretical contribution of this paper is a mathematical model of the invest-to-learn and switching options generated upon early investment in flexible SPIs. The practical significance of the paper is the application of a binomial lattice model to approximate the continuous-time model, resulting in an easy to use decision aid for managers.

[1]  Juhani Anttila,et al.  Balanced integration of information security into business management , 2004, Proceedings. 30th Euromicro Conference, 2004..

[2]  Lara Khansa,et al.  Quantifying the benefits of investing in information security , 2009, Commun. ACM.

[3]  Gary Stoneburner SP 800-33. Underlying Technical Models for Information Technology Security , 2001 .

[4]  L. Trigeorgis Real options and interactions with financial flexibility , 1993 .

[5]  J. Cockcroft Investment in Science , 1962, Nature.

[6]  N. Chriss Black-Scholes and Beyond: Option Pricing Models , 1996 .

[7]  T. Copeland Real Options: A Practitioner's Guide , 2001 .

[8]  Ephraim Clark,et al.  Optimal access pricing for natural monopoly networks when costs are sunk and revenues are uncertain , 2007, Eur. J. Oper. Res..

[9]  Peter M. Kort,et al.  Strategic Technology Adoption Taking into Account Future Technological Improvements: A Real Options Approach , 2000, Eur. J. Oper. Res..

[10]  Rosella Giacometti,et al.  On pricing of credit spread options , 2005, Eur. J. Oper. Res..

[11]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[12]  Allen M. Weiss,et al.  Investment in technological innovations: An option pricing approach , 1997 .

[13]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[14]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[15]  Thomas G. Bifano,et al.  Management of R&D projects under uncertainty: a multidimensional approach to managerial flexibility , 2005, IEEE Transactions on Engineering Management.

[16]  E. Pennings,et al.  The Option Value of Advanced R&D , 1997 .

[17]  Paul Rappoport,et al.  Simple decision making criterion as real options , 2003, 2003 IEEE International Conference on Computational Intelligence for Financial Engineering, 2003. Proceedings..

[18]  Robert J. Kauffman,et al.  Using Real Options Analysis for Evaluating Uncertain Investments in Information Technology: Insights from the ICIS 2001 Debate , 2002, Commun. Assoc. Inf. Syst..

[19]  Amrit Tiwana,et al.  The Bounded Rationality Bias in Managerial Valuation of Real Options: Theory and Evidence from IT Projects , 2007, Decis. Sci..

[20]  James S. Dyer,et al.  Decision Analysis and Real Options: A Discrete Time Approach to Real Option Valuation , 2005, Ann. Oper. Res..

[21]  Frederick Mosteller,et al.  Understanding robust and exploratory data analysis , 1983 .

[22]  Thomas Dangl,et al.  Investment and capacity choice under uncertain demand , 1999, Eur. J. Oper. Res..

[23]  Jean J. Kong,et al.  Real Options in Strategic Investment Games between Two Asymmetric Firms , 2006 .

[24]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[25]  R. Power CSI/FBI computer crime and security survey , 2001 .

[26]  E. Prescott,et al.  Investment Under Uncertainty , 1971 .

[27]  James Douglas Englehardt,et al.  A Bayesian Benefit‐Risk Model Applied to the South Florida Building Code , 1995 .

[28]  M. Leseure,et al.  Planning under uncertainty: assessing the robustness of technology real options , 2005, A Unifying Discipline for Melting the Boundaries Technology Management:.

[29]  S. Ross Uses, Abuses, and Alternatives to the Net-Present-Value Rule , 1995 .

[30]  Peter A. Forsyth,et al.  Wireless network capacity management: A real options approach , 2007, Eur. J. Oper. Res..

[31]  Robert Phaal,et al.  Valuation of technology: exploring a practical hybrid model , 2003, PICMET '03: Portland International Conference on Management of Engineering and Technology Technology Management for Reshaping the World, 2003..

[32]  P. Wilmott,et al.  The Mathematics of Financial Derivatives: Contents , 1995 .

[33]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[34]  Carlos Zozaya-Gorostiza,et al.  Investment Under Uncertainty in Information Technology: Acquisition and Development Projects , 2003, Manag. Sci..

[35]  Onno Lint,et al.  Market entry, phased rollout or abandonment? A real option approach , 2000, Eur. J. Oper. Res..

[36]  Yue Kuen Kwok,et al.  Real options in strategic investment games between two asymmetric firms , 2007, Eur. J. Oper. Res..

[37]  Kiyoshi Kobayashi,et al.  Optimal timing strategy for project evaluation and implementation , 2005, 2005 IEEE International Conference on Systems, Man and Cybernetics.

[38]  Lenos Trigeorgis,et al.  Real (investment) options with multiple sources of rare events , 2002, Eur. J. Oper. Res..

[39]  P. A. Forsyth,et al.  Wireless Network Capacity Investment , 2003 .

[40]  R. Hayes,et al.  Managing as if Tomorrow Mattered , 1982 .

[41]  A. Tiwana,et al.  Beyond Valuation: “Options Thinking” in IT Project Management , 2005 .

[42]  Lawrence A. Gordon,et al.  Budgeting process for information security expenditures , 2006, CACM.

[43]  Luis G. Vargas,et al.  Fitting the Lognormal Distribution to Surgical Procedure Times , 2000, Decis. Sci..

[44]  Rik R.G. Van Landeghem Option analysis: Making better decision faster , 1989 .

[45]  Peter Tufano,et al.  When are Real Options Exercised? An Empirical Study of Mine Closings , 2000 .

[46]  Bert De Reyck,et al.  Project options valuation with net present value and decision tree analysis , 2008, Eur. J. Oper. Res..

[47]  Jingguo Wang,et al.  An Extreme Value Approach to Information Technology Security Investment , 2005, ICIS.

[48]  Chris F. Kemerer,et al.  The assimilation of software process innovations: an organizational learning perspective , 1997 .

[49]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[50]  S. Myers Determinants of corporate borrowing , 1977 .

[51]  Alfred Taudes,et al.  Real option valuation with neural networks , 1998, Intell. Syst. Account. Finance Manag..