Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling

نویسندگان

  • Xia Zhao
  • Ling Xue
  • Andrew B. Whinston
چکیده

The interdependency of information security risks poses a significant challenge for firms to manage security. Firms may overor under-invest in security because security investments generate network externalities. In this paper, we explore how firms can use three risk management approaches, third-party cyberinsurance, managed security service (MSS) and risk pooling arrangement (RPA), to address the issue of investment inefficiency. We show that compared with cyberinsurance, MSS is more effective in mitigating the security investment inefficiency because the MSS provider (MSSP) serving multiple firms can endogenize the externalities of security investments. However, the investment externalities may discourage a for-profit MSSP from serving all firms even on a monopoly market. We then show that firms can use RPA as a complement to cyberinsurance to address risk interdependency for all firms. However, the adoption of RPA is incentive-compatible for firms only when the security investments generate negative externalities.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative ri...

متن کامل

Identifying Information Security Risk Components in Military Hospitals in Iran

Background and Aim: Information systems are always at risk of information theft, information change, and interruptions in service delivery. Therefore, the present study was conducted to develop a model for identifying information security risk in military hospitals in Iran. Methods: This study was a qualitative content analysis conducted in military hospitals in Iran in 2019. The sample consist...

متن کامل

Security Adoption and Influence of Cyber-insurance Market in Heterogeneous Networks

Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the importance of network/system security, investment in security protection is still scare, and hence epidemic risk is still prevalent. Deciding whether to invest in security protection is an interdependent process: security investment decision made by one node ca...

متن کامل

Can Competitive Insurers Improve Network Security?

The interdependent nature of security on the Internet causes a negative externality that results in under-investment in technologybased defences. Previous research suggests that, in such an environment, cyber-insurance may serve as an important tool not only to manage risks but also to improve the incentives for investment in security. This paper investigates how competitive cyber-insurers affe...

متن کامل

Managing Security Service Providers: Issues in Outsourcing Security

The issue of trust and risk in outsourced relationships was extended beyond traditional outsourcing models with the introduction of Application Service Providers (ASPs). As ASPs evolve, Managed Security Service Providers (MSSPs) have emerged as external providers of security for firms facing increasing information assurance threats. This research-in-progress paper develops a conceptual model of...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2009