Cybersecurity has become a key factor that determinesudthe success or failure of companies that rely on informationudsystems. Therefore, investment in cybersecurity is an importantudfinancial and operational decision. Typical information technologyudinvestments aim to create value, whereas cybersecurity investmentsudaim to minimize loss incurred by cyber attacks. Admittedly,udcybersecurity investment has become an increasingly complexudone since information systems are typically subject to frequentudattacks, whose arrival and impact fluctuate stochastically. Further,udcybersecurity measures and improvements, such as patches,udbecome available at random points in time making investmentuddecisions even more challenging.udWe propose and develop an analytical real options frameworkudthat incorporates major components relevant to cybersecurityudpractice, and analyze how optimal cybersecurity investment decisionsudperform for a private firm. The novelty of this paper is thatudit provides analytical solutions that lend themselves to intuitiveudinterpretations regarding the effect of timing and cybersecurityudrisk on investment behavior using real options theory. Suchudaspects are frequently not implemented within economic modelsudthat support policy initiatives. However, if these are not properlyudunderstood, security controls will not be properly set resultingudin a dynamic inefficiency reflected in cycles of over or underudinvestment, and, in turn, increased cybersecurity risk followingudcorrective policy actions.udResults indicate that greater uncertainty over the cost ofudcybersecurity attacks raises the value of an embedded optionudto invest in cybersecurity. This increases the incentive to suspendudoperations temporarily in order to install a cybersecurity patchudthat will make the firm more resilient to cybersecurity breaches.udSimilarly, greater likelihood associated with the availability of audcybersecurity patch increases the value of the option to invest inudcybersecurity. However, absence of an embedded investment optionudincreases the incentive to delay the permanent abandonmentudof the company’s operation due to the irreversible nature of theuddecision.
展开▼