Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors
Introduction
The importance of protecting intellectual and other property rights from cyber-attacks has grown exponentially over the last few years [45]. Innovative young firms could be eviscerated by the loss of their intellectual capital to cyber-attacks [34]. Cybercrime could inflict devastating losses even on large firms. Smith [41] points out that Nortel Networks filed for bankruptcy in 2009 after a decade of hacking into executive computers to access business plans, reports, emails and other documents. A recent McKinsey study estimates that the economic losses due to cyber-attacks may well reach $20 Trillion by 2020 [15].
Recognizing this problem, the Corporate Finance Division of the U.S. Securities and Exchanges Commission (SEC) has issued guidelines for listed US firms in 2011 for disclosing the costs and risks of cybercrime. In this paper, we develop a decision support model for the allocation of resources to combating cyber-attacks. We use an agency-theoretic view of the firm to identify the misalignment of interests between managers and investors in such allocation. Further, we document the usefulness of cyber-insurance.
In the agency-theoretic view of the firm, managers and investors have differing preferences over the allocation of investment between income-generating (productive) assets and security-enhancing assets and activities. Productive assets increase cash flows that reduce the vulnerability of the firm to financial distress from security problems in the long run, whereas security-enhancing assets and activities reduce security breaches in the short run at the expense of cash flow over the long run. Managers prefer security investments that can protect the assets of the firm and in turn, protect their jobs and pay during their tenure whereas investors prefer productive assets that increase long run productivity because they can mitigate the short term financial risk through diversification. Managers, not investors, choose the mix of productive and security investments in the firm, making the decision subject to the agency problem [20].3
The agency-theoretic view we utilize in this paper has direct and strong linkage to the IT governance perspective as enunciated by Weill and Ross [47]. IT governance specifies accountabilities for IT-related business outcomes and helps a firm to align its IT investments (for example in security enhancements) with the firm's strategic objectives. According to Weill and Ross [47] one of the key decisions that underpins effective IT governance is Prioritization and investment — decisions about how much and where to invest in IT. Specifically one factor that is relevant to this decision is the relative importance of enterprise-wide versus business unit investments and how far actual practice reflects their relative importance. This factor highlights a potential tension that may exist, in practice, between a business unit managers' goals, preferences and time horizon on one hand and the relative importance enterprise-wide managers' (could be Business Monarchy archetype) associate with corporate and investor goals. This paper primarily addresses this tension and helps to highlight how firms can make IT governance transparent.
Our motivation to study the problem arises from the following trends: (i) the importance of cyber-security is rapidly increasing; (ii) the vulnerability of the firms to cyber-attacks is increasing; and (iii) security-enhancing tools that improve the visibility into networks, web applications and end points have become more effective in preventing security breaches and are available to managers to invest in. By allocating funds to security–enhancing tools, managers can effectively reduce the probability and the potential loss from cyber-attacks but at the same time, the diversion of funds away from productive assets reduces cash flow and increases vulnerability of the firm to financial distress from cyber-attacks in the long run.
We address this problem by developing a multi-period model of the firm's allocation of its internal and available external funds between productive assets and security activities when faced with costs related to security breach, borrowing and financial distress. The investment in security takes two forms: direct investments in security-enhancing assets and the choice of productive assets that are less vulnerable to security threats. Productive assets that have the added feature of resisting security threats are likely to be costlier than similar assets without those features. Either form of investment in security reduces the availability of funds that can be invested in increasing cash inflows. We allow the investments in productive capital to accumulate over time. We show that although the ultimate steady state productive capital accumulation is not affected by security breach and financial distress costs, the initial investment in productive capital is lower and the rate of accumulation is slower because of them. Security breach and financial distress costs slow down capital accumulation while accelerating the allocation to security in the short run. Managers who bear higher personal financial distress costs invest more in security and less in productive capital compared to the optimal allocation from the investors' viewpoint. Further, managers have limited tenure in the firms unlike owner-investors and therefore are more incentivized to protect the firm's assets in the short run during their tenure rather than focus on the long run. Further, we show that external cyber-insurance can benefit both the firm and the insurer over a feasibility range determined by cost parameters. A noteworthy effect of external insurance is that it reduces the difference between the manager-optimal and investor-optimal allocations.
Our paper contributes to the literature in three ways. First, we develop a decision-support model that helps in making resource allocation decisions between productive and security operations in the presence of costly security breaches and financial distress costs. Second, we show that managers have incentives to invest more in security than is optimal for investors. Third, we show that cyber-insurance can be mutually beneficial to both the insured and the insuring firms by reducing the managers' over-allocation of resources to security.
We give the background and description of our approach in the next section, and discuss prior related research in Section 3. Section 4 gives the models, results and numerical illustrations for settings with security breach, borrowing and financial distress costs. We examine the role of external insurance in Section 5 and provide summary and concluding remarks in Section 6.
Section snippets
Evidence on the threats and costs of security failures and their mitigation
Increasingly, there are attempts both by parties with malicious intent and by seemingly unrelated third parties (such as hackers) to breach corporate information and financial systems. U.S. GAO report (GAO-10-536 T March 24, 2010) warns about the vulnerability of the federal computer systems to such intrusions, prompting the U.S. Congress to require federal agencies to pursue both technological and organizational measures to enhance cyber security. There is also evidence that the frequency of
Related work
Analysis of information security from an economic perspective has recently attracted much research interest. Gordon and Loeb [18] develop an optimal allocation model among different information assets with different vulnerabilities. Kumar et al. [29] explore firm level security budgeting when decision rights reside with different agents with divergent priorities. Ulvila and Gaffney [46] propose a decision analytic framework for evaluating computer intrusion detection systems. Cavusoglu et al.
The Security Breach Models
The firm starts with an initial capital endowment K0. The investment in productive assets produces cash inflows whereas security-enhancing investments reduce the likelihood of security breaches. The security breach costs deplete the residual cash (funds available after investments in productive and security operations) available to the firm. One consequence of this depletion is that a firm will have fewer resources to invest in revenue generating processes and to pay dividends in future time
Model with Cyber-Insurance
The study of cyber-insurance as a way to mitigate cyber-security risks has received considerable attention over the last decade. Several studies consider cyber-insurance contracts in an interconnected system with different stakeholders when there are correlated security breach damages due to organizational interdependencies (links between suppliers and producers in a supply chain) (Ogut and Menon 2005; [35]; Yurcik 2002; Shetty et al. 2009). A second stream of literature focuses on
Summary and concluding remarks
In this paper, we examine the allocation of resources to productive assets and security operations in the presence of costly security breaches that could result in financial distress. In addition, we also investigate the role of external insurance in mitigating the effects of breach costs. We build a decision support model to aid the decision makers in the allocation of resources to productive and security operations in the presence of cyber-security breach costs and financial distress costs.
Bin Srinidhi is the Carlock Endowed Distinguished Professor of Accounting at University of Texas at Arlington. Dr. Srinidhi's research covers the areas of information economics, corporate governance, auditing, internal control systems and capital market research. His papers have been published in The Journal of Accounting and Economics, The Accounting Review, Contemporary Accounting Research, Review of Accounting Studies, Management Science, Journal of Accounting and Public Policy and Journal
References (43)
- et al.
Cyber-risk decision models: to insure IT or not?
Decision Support Systems
(December 2013) - et al.
The effect of directors' equity incentives on earnings management
Journal of Accounting and Public Policy
(2006) - et al.
The risk adjusted cost of financial distress
Journal of Finance
(2007) - et al.
Why IT managers don't go for cyber-insurance products
Communication of the ACM
(2009) Cyberrisk Market Syrvey
- et al.
Capital market pressure, disclosure frequency-induced earnings/cash flow conflict, and managerial myopia
The Accounting Review
(2005) - et al.
Modeling cyber-insurance: towards a unifying frame-work
Security metrics and security investment models
Cyber-insurance revisited
- et al.
Cyber insurance as an incentive for internet security
The influence of institutional investors on myopic R&D investment behavior
The Accounting Review
The value of intrusion detection systems in information technology security architecture
Information Systems Research
Security Patch Management: Share the Burden or Share the Damage?
Management Science
Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems
Information Systems Research
Threat assessment and security measures justification for advanced IT networks
Information Systems Control Journal
Risk And Responsibility In A Hyper-Connected World: Implications For Enterprises Insights And Publications
A framework for using insurance for cyber-risk management
Association For Computing Machinery. Communications Of The ACM
The economics of information security investment
ACM Transactions of Information Systems Security
Corporate governance: some theory and implications
The Economic Journal
Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability
Information Systems Frontiers
Copula based actuarial model for pricing cyber
Insurance Policies Insurance Markets and Companies: Analyses and Actuarial Computations
Cited by (63)
Cybersecurity and executive compensation: Can inside debt-induced risk aversion improve cyber risk management effectiveness?
2024, International Review of Financial AnalysisA hybrid framework using explainable AI (XAI) in cyber-risk management for defence and recovery against phishing attacks
2024, Decision Support SystemsCybersecurity capabilities and cyber-attacks as drivers of investment in cybersecurity systems: A UK survey for 2018 and 2019
2023, Computers and SecurityCitation Excerpt :While organizations consider cybersecurity as an important priority in the organization; cybersecurity is not considered part of the core of the business, as can be seen from the disconnection between the organizations' senior managers/direction and the organizations' internal developments in cybersecurity. These results are in line with previous investigations that show the low level of information that organizations' managers have about cybersecurity (Choo, 2011; Fernandez de Arroyabe and Fernandez de Arroyabe, 2021), and confirming that cybersecurity mostly has an operational nature in the organization (S. Okae et al., 2019; Chronopoulos et al., 2017; Srinidhi et al., 2015). Regarding the research question, the results confirm that investment in cybersecurity is a strategic decision in the company.
Informing cybersecurity strategic commitment through top management perceptions: The role of institutional pressures
2021, Information and ManagementCitation Excerpt :In other words, top managers’ desire to protect their personal well-being [47] seems to have the greatest impact on their commitment to a cyberinsurance risk management strategy. Our findings confirm agency and expectancy theories that suggest that managers are interested in investments that protect the firm's assets and, therefore, that also protects their personal interests such as job security and salary [68]. This highlights the importance of personal relevance in the top manager's commitment to risk management approaches, which is different from personal relevance in employee security behaviors [47,117].
The Finance of Cybersecurity Investment
2024, SSRNNexus among blockchain technology adoption and firm performance: perspective from mediating and moderating effects
2024, International Journal of Organizational Analysis
Bin Srinidhi is the Carlock Endowed Distinguished Professor of Accounting at University of Texas at Arlington. Dr. Srinidhi's research covers the areas of information economics, corporate governance, auditing, internal control systems and capital market research. His papers have been published in The Journal of Accounting and Economics, The Accounting Review, Contemporary Accounting Research, Review of Accounting Studies, Management Science, Journal of Accounting and Public Policy and Journal of Accounting, Auditing and Finance, among others. He serves as the Co-editor of Journal of Contemporary Accounting and Economics and Associate Editor of Asia Pacific Journal of Accounting and Economics. Prior to joining University of Texas at Arlington, Dr. Srinidhi was Chair Professor of Accountancy at City University of Hong Kong.
Jia Yan is now an assistant professor of economics at Washington State University. Dr. Yan's research covers wide topics in applied microeconomics and applied econometrics. Recent research topics include insurance and evaluating public policies aimed at reducing highway congestion and improving airport/port efficiency. His research papers have appeared in such journals as Econometrica, Journal of Public Economics, Journal of Urban Economics, Brookings-Wharton Papers on Urban Affairs, Insurance: Mathematics and Economics, and Transportation Research Part B: Methodological.
Dr. Yan received the best dissertation award from the transportation and public utility group of the American Economic Association in 2002. He also received the best paper award from the Transportation Research Forum in 2008 and from the International Transportation Economics Association in 2011. Since 2007, he has served on the editorial board of Transportmetrica and will serve as the Associated Editor of Journal of Air Transport Management starting 2013.
Giri Kumar Tayi is a Professor of Management Science and Information Systems at the State University of New York at Albany. He obtained his Ph.D. from Carnegie Mellon University and his research and teaching interests are interdisciplinary and span the fields of Information Systems, Operations Management and Operations Research. His papers appeared in top-tier academic journals such as Operations Research, Management Science, MIS Quarterly, IEEE Transactions, Networks, Naval Research Logistics, EJOR, Journal of Combinatorial Optimization, INFORMS Journal of Computing, Journal of Computer Security, Government Information Quarterly, Communications of the ACM.
He serves or has served on the Editorial Board of several academic journals such as Information Systems Research, IEEE Intelligent Systems, Decision Sciences, ACM Journal of Data and Information Quality, Information Technology Management, Information Systems Frontiers, Information and Management, International Journal of Shipping and Transport Logistics.