Journal
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS
Volume 30, Issue 1, Pages 123-152Publisher
ROUTLEDGE JOURNALS, TAYLOR & FRANCIS LTD
DOI: 10.2753/MIS0742-1222300104
Keywords
cyberinsurance; information security; interdependent risks; managed security services; risk management; risk pooling
Funding
- National Science Foundation [0831338]
- Division Of Computer and Network Systems
- Direct For Computer & Info Scie & Enginr [1228990] Funding Source: National Science Foundation
- Division Of Computer and Network Systems
- Direct For Computer & Info Scie & Enginr [0831338] Funding Source: National Science Foundation
Ask authors/readers for more resources
The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available