Elsevier

Decision Support Systems

Volume 75, July 2015, Pages 49-62
Decision Support Systems

Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors

https://doi.org/10.1016/j.dss.2015.04.011Get rights and content

Highlights

  • Unlike investors, managers have limited tenure and cannot diversify their human capital investment in a firm resulting in misalignment of interest.

  • The risks of security threats and consequent financial distress costs are therefore viewed differently by managers and investors.

  • We use model the effect of differential incentives between managers and investors on cyber-security fund allocation.

  • We find thatmanagers over-invest in security to reduce breaches during their tenure.

  • We also show that cyber-insurance is feasible and serves to reduce the adverse consequences of misalignment of interests.

Abstract

Cyber-security is increasingly seen as an important determinant of firm-specific financial risk. Agency theory suggests that managers and investors have different preferences over such risk because investors can diversity their capital over different firms to reduce firm-specific risk but managers cannot diversify their investment of human capital in their firm. Therefore managers face greater personal cost of financial distress during their limited tenure. We develop an analytical model for optimally allocating investments to general productive assets and specific cyber-security assets incorporating costs of security breaches, borrowing and financial distress. We note that investment in productive assets can generate cash flows that allow the firm to better withstand security threats in the long run but investment in specific security-enhancing assets reduce security breaches in short run while leaving the firm's finances vulnerable over a longer period. Using our model, we show that managers over-invest in specific security-enhancing assets to reduce security breaches during their tenure. We then incorporate cyber-insurance in our model and show that it has the effect of reducing managers' over-investment in specific security-enhancing assets.

Introduction

The importance of protecting intellectual and other property rights from cyber-attacks has grown exponentially over the last few years [45]. Innovative young firms could be eviscerated by the loss of their intellectual capital to cyber-attacks [34]. Cybercrime could inflict devastating losses even on large firms. Smith [41] points out that Nortel Networks filed for bankruptcy in 2009 after a decade of hacking into executive computers to access business plans, reports, emails and other documents. A recent McKinsey study estimates that the economic losses due to cyber-attacks may well reach $20 Trillion by 2020 [15].

Recognizing this problem, the Corporate Finance Division of the U.S. Securities and Exchanges Commission (SEC) has issued guidelines for listed US firms in 2011 for disclosing the costs and risks of cybercrime. In this paper, we develop a decision support model for the allocation of resources to combating cyber-attacks. We use an agency-theoretic view of the firm to identify the misalignment of interests between managers and investors in such allocation. Further, we document the usefulness of cyber-insurance.

In the agency-theoretic view of the firm, managers and investors have differing preferences over the allocation of investment between income-generating (productive) assets and security-enhancing assets and activities. Productive assets increase cash flows that reduce the vulnerability of the firm to financial distress from security problems in the long run, whereas security-enhancing assets and activities reduce security breaches in the short run at the expense of cash flow over the long run. Managers prefer security investments that can protect the assets of the firm and in turn, protect their jobs and pay during their tenure whereas investors prefer productive assets that increase long run productivity because they can mitigate the short term financial risk through diversification. Managers, not investors, choose the mix of productive and security investments in the firm, making the decision subject to the agency problem [20].3

The agency-theoretic view we utilize in this paper has direct and strong linkage to the IT governance perspective as enunciated by Weill and Ross [47]. IT governance specifies accountabilities for IT-related business outcomes and helps a firm to align its IT investments (for example in security enhancements) with the firm's strategic objectives. According to Weill and Ross [47] one of the key decisions that underpins effective IT governance is Prioritization and investment — decisions about how much and where to invest in IT. Specifically one factor that is relevant to this decision is the relative importance of enterprise-wide versus business unit investments and how far actual practice reflects their relative importance. This factor highlights a potential tension that may exist, in practice, between a business unit managers' goals, preferences and time horizon on one hand and the relative importance enterprise-wide managers' (could be Business Monarchy archetype) associate with corporate and investor goals. This paper primarily addresses this tension and helps to highlight how firms can make IT governance transparent.

Our motivation to study the problem arises from the following trends: (i) the importance of cyber-security is rapidly increasing; (ii) the vulnerability of the firms to cyber-attacks is increasing; and (iii) security-enhancing tools that improve the visibility into networks, web applications and end points have become more effective in preventing security breaches and are available to managers to invest in. By allocating funds to security–enhancing tools, managers can effectively reduce the probability and the potential loss from cyber-attacks but at the same time, the diversion of funds away from productive assets reduces cash flow and increases vulnerability of the firm to financial distress from cyber-attacks in the long run.

We address this problem by developing a multi-period model of the firm's allocation of its internal and available external funds between productive assets and security activities when faced with costs related to security breach, borrowing and financial distress. The investment in security takes two forms: direct investments in security-enhancing assets and the choice of productive assets that are less vulnerable to security threats. Productive assets that have the added feature of resisting security threats are likely to be costlier than similar assets without those features. Either form of investment in security reduces the availability of funds that can be invested in increasing cash inflows. We allow the investments in productive capital to accumulate over time. We show that although the ultimate steady state productive capital accumulation is not affected by security breach and financial distress costs, the initial investment in productive capital is lower and the rate of accumulation is slower because of them. Security breach and financial distress costs slow down capital accumulation while accelerating the allocation to security in the short run. Managers who bear higher personal financial distress costs invest more in security and less in productive capital compared to the optimal allocation from the investors' viewpoint. Further, managers have limited tenure in the firms unlike owner-investors and therefore are more incentivized to protect the firm's assets in the short run during their tenure rather than focus on the long run. Further, we show that external cyber-insurance can benefit both the firm and the insurer over a feasibility range determined by cost parameters. A noteworthy effect of external insurance is that it reduces the difference between the manager-optimal and investor-optimal allocations.

Our paper contributes to the literature in three ways. First, we develop a decision-support model that helps in making resource allocation decisions between productive and security operations in the presence of costly security breaches and financial distress costs. Second, we show that managers have incentives to invest more in security than is optimal for investors. Third, we show that cyber-insurance can be mutually beneficial to both the insured and the insuring firms by reducing the managers' over-allocation of resources to security.

We give the background and description of our approach in the next section, and discuss prior related research in Section 3. Section 4 gives the models, results and numerical illustrations for settings with security breach, borrowing and financial distress costs. We examine the role of external insurance in Section 5 and provide summary and concluding remarks in Section 6.

Section snippets

Evidence on the threats and costs of security failures and their mitigation

Increasingly, there are attempts both by parties with malicious intent and by seemingly unrelated third parties (such as hackers) to breach corporate information and financial systems. U.S. GAO report (GAO-10-536 T March 24, 2010) warns about the vulnerability of the federal computer systems to such intrusions, prompting the U.S. Congress to require federal agencies to pursue both technological and organizational measures to enhance cyber security. There is also evidence that the frequency of

Related work

Analysis of information security from an economic perspective has recently attracted much research interest. Gordon and Loeb [18] develop an optimal allocation model among different information assets with different vulnerabilities. Kumar et al. [29] explore firm level security budgeting when decision rights reside with different agents with divergent priorities. Ulvila and Gaffney [46] propose a decision analytic framework for evaluating computer intrusion detection systems. Cavusoglu et al.

The Security Breach Models

The firm starts with an initial capital endowment K0. The investment in productive assets produces cash inflows whereas security-enhancing investments reduce the likelihood of security breaches. The security breach costs deplete the residual cash (funds available after investments in productive and security operations) available to the firm. One consequence of this depletion is that a firm will have fewer resources to invest in revenue generating processes and to pay dividends in future time

Model with Cyber-Insurance

The study of cyber-insurance as a way to mitigate cyber-security risks has received considerable attention over the last decade. Several studies consider cyber-insurance contracts in an interconnected system with different stakeholders when there are correlated security breach damages due to organizational interdependencies (links between suppliers and producers in a supply chain) (Ogut and Menon 2005; [35]; Yurcik 2002; Shetty et al. 2009). A second stream of literature focuses on

Summary and concluding remarks

In this paper, we examine the allocation of resources to productive assets and security operations in the presence of costly security breaches that could result in financial distress. In addition, we also investigate the role of external insurance in mitigating the effects of breach costs. We build a decision support model to aid the decision makers in the allocation of resources to productive and security operations in the presence of cyber-security breach costs and financial distress costs.

Bin Srinidhi is the Carlock Endowed Distinguished Professor of Accounting at University of Texas at Arlington. Dr. Srinidhi's research covers the areas of information economics, corporate governance, auditing, internal control systems and capital market research. His papers have been published in The Journal of Accounting and Economics, The Accounting Review, Contemporary Accounting Research, Review of Accounting Studies, Management Science, Journal of Accounting and Public Policy and Journal

References (43)

  • A. Mukhopadhyay et al.

    Cyber-risk decision models: to insure IT or not?

    Decision Support Systems

    (December 2013)
  • J. Ronen et al.

    The effect of directors' equity incentives on earnings management

    Journal of Accounting and Public Policy

    (2006)
  • H. Almeida et al.

    The risk adjusted cost of financial distress

    Journal of Finance

    (2007)
  • T. Bandyopadhyay et al.

    Why IT managers don't go for cyber-insurance products

    Communication of the ACM

    (2009)
  • Betterley Report

    Cyberrisk Market Syrvey

  • S. Bhojraj et al.

    Capital market pressure, disclosure frequency-induced earnings/cash flow conflict, and managerial myopia

    The Accounting Review

    (2005)
  • R. Bohme et al.

    Modeling cyber-insurance: towards a unifying frame-work

  • R. Bohme

    Security metrics and security investment models

  • R. Böhme

    Cyber-insurance revisited

  • J. Bolot et al.

    Cyber insurance as an incentive for internet security

  • B.J. Bushee

    The influence of institutional investors on myopic R&D investment behavior

    The Accounting Review

    (1998)
  • H. Cavusoglu et al.

    The value of intrusion detection systems in information technology security architecture

    Information Systems Research

    (2005)
  • H. Cavusoglu et al.

    Security Patch Management: Share the Burden or Share the Damage?

    Management Science

    (2008)
  • H. Cavusoglu et al.

    Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems

    Information Systems Research

    (2009)
  • M. Cerullo et al.

    Threat assessment and security measures justification for advanced IT networks

    Information Systems Control Journal

    (2005)
  • D. Chinn et al.

    Risk And Responsibility In A Hyper-Connected World: Implications For Enterprises Insights And Publications

    (2014)
  • L.A. Gordon et al.

    A framework for using insurance for cyber-risk management

    Association For Computing Machinery. Communications Of The ACM

    (2003)
  • L. Gordon et al.

    The economics of information security investment

    ACM Transactions of Information Systems Security

    (2002)
  • O. Hart

    Corporate governance: some theory and implications

    The Economic Journal

    (1995)
  • K. Hausken

    Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability

    Information Systems Frontiers

    (2006)
  • H. Herath et al.

    Copula based actuarial model for pricing cyber

    Insurance Policies Insurance Markets and Companies: Analyses and Actuarial Computations

    (2011)
  • Cited by (63)

    • Cybersecurity capabilities and cyber-attacks as drivers of investment in cybersecurity systems: A UK survey for 2018 and 2019

      2023, Computers and Security
      Citation Excerpt :

      While organizations consider cybersecurity as an important priority in the organization; cybersecurity is not considered part of the core of the business, as can be seen from the disconnection between the organizations' senior managers/direction and the organizations' internal developments in cybersecurity. These results are in line with previous investigations that show the low level of information that organizations' managers have about cybersecurity (Choo, 2011; Fernandez de Arroyabe and Fernandez de Arroyabe, 2021), and confirming that cybersecurity mostly has an operational nature in the organization (S. Okae et al., 2019; Chronopoulos et al., 2017; Srinidhi et al., 2015). Regarding the research question, the results confirm that investment in cybersecurity is a strategic decision in the company.

    • Informing cybersecurity strategic commitment through top management perceptions: The role of institutional pressures

      2021, Information and Management
      Citation Excerpt :

      In other words, top managers’ desire to protect their personal well-being [47] seems to have the greatest impact on their commitment to a cyberinsurance risk management strategy. Our findings confirm agency and expectancy theories that suggest that managers are interested in investments that protect the firm's assets and, therefore, that also protects their personal interests such as job security and salary [68]. This highlights the importance of personal relevance in the top manager's commitment to risk management approaches, which is different from personal relevance in employee security behaviors [47,117].

    View all citing articles on Scopus

    Bin Srinidhi is the Carlock Endowed Distinguished Professor of Accounting at University of Texas at Arlington. Dr. Srinidhi's research covers the areas of information economics, corporate governance, auditing, internal control systems and capital market research. His papers have been published in The Journal of Accounting and Economics, The Accounting Review, Contemporary Accounting Research, Review of Accounting Studies, Management Science, Journal of Accounting and Public Policy and Journal of Accounting, Auditing and Finance, among others. He serves as the Co-editor of Journal of Contemporary Accounting and Economics and Associate Editor of Asia Pacific Journal of Accounting and Economics. Prior to joining University of Texas at Arlington, Dr. Srinidhi was Chair Professor of Accountancy at City University of Hong Kong.

    Jia Yan is now an assistant professor of economics at Washington State University. Dr. Yan's research covers wide topics in applied microeconomics and applied econometrics. Recent research topics include insurance and evaluating public policies aimed at reducing highway congestion and improving airport/port efficiency. His research papers have appeared in such journals as Econometrica, Journal of Public Economics, Journal of Urban Economics, Brookings-Wharton Papers on Urban Affairs, Insurance: Mathematics and Economics, and Transportation Research Part B: Methodological.

    Dr. Yan received the best dissertation award from the transportation and public utility group of the American Economic Association in 2002. He also received the best paper award from the Transportation Research Forum in 2008 and from the International Transportation Economics Association in 2011. Since 2007, he has served on the editorial board of Transportmetrica and will serve as the Associated Editor of Journal of Air Transport Management starting 2013.

    Giri Kumar Tayi is a Professor of Management Science and Information Systems at the State University of New York at Albany. He obtained his Ph.D. from Carnegie Mellon University and his research and teaching interests are interdisciplinary and span the fields of Information Systems, Operations Management and Operations Research. His papers appeared in top-tier academic journals such as Operations Research, Management Science, MIS Quarterly, IEEE Transactions, Networks, Naval Research Logistics, EJOR, Journal of Combinatorial Optimization, INFORMS Journal of Computing, Journal of Computer Security, Government Information Quarterly, Communications of the ACM.

    He serves or has served on the Editorial Board of several academic journals such as Information Systems Research, IEEE Intelligent Systems, Decision Sciences, ACM Journal of Data and Information Quality, Information Technology Management, Information Systems Frontiers, Information and Management, International Journal of Shipping and Transport Logistics.

    1

    Tel.: + 1 509 335 7809; fax: + 1 509 335 1173.

    2

    Tel.: + 1 518 956 8328; fax: + 1 518 442 2568.

    View full text