Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling
نویسندگان
چکیده
The interdependency of information security risks poses a significant challenge for firms to manage security. Firms may overor under-invest in security because security investments generate network externalities. In this paper, we explore how firms can use three risk management approaches, third-party cyberinsurance, managed security service (MSS) and risk pooling arrangement (RPA), to address the issue of investment inefficiency. We show that compared with cyberinsurance, MSS is more effective in mitigating the security investment inefficiency because the MSS provider (MSSP) serving multiple firms can endogenize the externalities of security investments. However, the investment externalities may discourage a for-profit MSSP from serving all firms even on a monopoly market. We then show that firms can use RPA as a complement to cyberinsurance to address risk interdependency for all firms. However, the adoption of RPA is incentive-compatible for firms only when the security investments generate negative externalities.
منابع مشابه
Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements
The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative ri...
متن کاملIdentifying Information Security Risk Components in Military Hospitals in Iran
Background and Aim: Information systems are always at risk of information theft, information change, and interruptions in service delivery. Therefore, the present study was conducted to develop a model for identifying information security risk in military hospitals in Iran. Methods: This study was a qualitative content analysis conducted in military hospitals in Iran in 2019. The sample consist...
متن کاملSecurity Adoption and Influence of Cyber-insurance Market in Heterogeneous Networks
Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the importance of network/system security, investment in security protection is still scare, and hence epidemic risk is still prevalent. Deciding whether to invest in security protection is an interdependent process: security investment decision made by one node ca...
متن کاملCan Competitive Insurers Improve Network Security?
The interdependent nature of security on the Internet causes a negative externality that results in under-investment in technologybased defences. Previous research suggests that, in such an environment, cyber-insurance may serve as an important tool not only to manage risks but also to improve the incentives for investment in security. This paper investigates how competitive cyber-insurers affe...
متن کاملManaging Security Service Providers: Issues in Outsourcing Security
The issue of trust and risk in outsourced relationships was extended beyond traditional outsourcing models with the introduction of Application Service Providers (ASPs). As ASPs evolve, Managed Security Service Providers (MSSPs) have emerged as external providers of security for firms facing increasing information assurance threats. This research-in-progress paper develops a conceptual model of...
متن کامل