Market Impact on IT Security Spending

• Published in: Decision sciences Vol. 44; no. 3; pp. 517 - 556
• Main Authors: Kolfal, Bora, Patterson, Raymond A., Yeo, M. Lisa
• Format: Journal Article
• Language: English
• Published: Atlanta Blackwell Publishing Ltd 01.06.2013; American Institute for Decision Sciences
• Subjects: Asymmetry; Capital investments; Continuous-Time Markov Chain; Decision analysis; Direct and Cross-Risk Elasticity of Demand; Duopoly; Economic behaviour; Elasticity; Information technology; Investment decision; IT Security; Markovian processes; Regulation; Security; Security management; Studies
• ISSN: 0011-7315; 1540-5915
• DOI: 10.1111/deci.12023

ABSTRACT Traditionally, IT security investment decisions are made in isolation. However, as firms that compete for customers in an industry are closely interlinked, a macro perspective is needed in analyzing these decisions. We utilize the notions of direct‐ and cross‐risk elasticity to describe the customer response to adverse IT security events in the firm and competitor, respectively, thus allowing us to analyze optimal security investment decisions. Examining both symmetric and asymmetric duopoly cases using a continuous‐time Markov chain (CTMC) model, we demonstrate that optimal IT security spending, expected firm profits and willingness of firms to cooperate on security improvements are highly dependent on the nature of customer response to adverse events. We also examine the investment problem when security attacks on different firms are correlated.