Premium
Enterprise security economics: A self‐defense versus cyber‐insurance dilemma
Author(s) -
Miaoui Yosra,
Boudriga Noureddine
Publication year - 2019
Publication title -
applied stochastic models in business and industry
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.413
H-Index - 40
eISSN - 1526-4025
pISSN - 1524-1904
DOI - 10.1002/asmb.2451
Subject(s) - investment (military) , reinsurance , actuarial science , vulnerability (computing) , work (physics) , business , computer security , cover (algebra) , dilemma , pessimism , finance , risk analysis (engineering) , computer science , law , mechanical engineering , philosophy , epistemology , politics , political science , engineering
We propose a model that optimizes enterprise investments in cybersecurity using expected utility theory. The model allows computing (a) investment in self‐defense to reduce the risk of security breaches, (b) investment in cyber insurance to transfer the residual risk to insurance companies, and (c) investment in forensic readiness to make the insured firms capable of generating provable insurance claims about security breaches. A three‐phase–based model of vulnerability rate evolution over time is proposed and used to estimate the different planned security expenditures throughout the investment horizon. At the starting time of investment, a decision maker invests to cover the existing risk of breach and periodically spends to cover the additional risk observed due to the release of new vulnerabilities. In this work, the intermediate tranches are determined while considering three different attitudes of decision makers, namely, optimistic, pessimistic, and realistic. An analysis is conducted to assess the performance of the proposed models.