IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v31y2011i3p497-512.html
   My bibliography  Save this article

Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection

Author

Listed:
  • Hulisi Öğüt
  • Srinivasan Raghunathan
  • Nirup Menon

Abstract

The correlated nature of security breach risks, the imperfect ability to prove loss from a breach to an insurer, and the inability of insurers and external agents to observe firms’ self‐protection efforts have posed significant challenges to cyber security risk management. Our analysis finds that a firm invests less than the social optimal levels in self‐protection and in insurance when risks are correlated and the ability to prove loss is imperfect. We find that the appropriate social intervention policy to induce a firm to invest at socially optimal levels depends on whether insurers can verify a firm's self‐protection levels. If self‐protection of a firm is observable to an insurer so that it can design a contract that is contingent on the self‐protection level, then self‐protection and insurance behave as complements. In this case, a social planner can induce a firm to choose the socially optimal self‐protection and insurance levels by offering a subsidy on self‐protection. We also find that providing a subsidy on insurance does not provide a similar inducement to a firm. If self‐protection of a firm is not observable to an insurer, then self‐protection and insurance behave as substitutes. In this case, a social planner should tax the insurance premium to achieve socially optimal results. The results of our analysis hold regardless of whether the insurance market is perfectly competitive or not, implying that solely reforming the currently imperfect insurance market is insufficient to achieve the efficient outcome in cyber security risk management.

Suggested Citation

  • Hulisi Öğüt & Srinivasan Raghunathan & Nirup Menon, 2011. "Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection," Risk Analysis, John Wiley & Sons, vol. 31(3), pages 497-512, March.
    • Handle: RePEc:wly:riskan:v:31:y:2011:i:3:p:497-512
    DOI: 10.1111/j.1539-6924.2010.01478.x
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/j.1539-6924.2010.01478.x
    Download Restriction: no
    File URL: https://libkey.io/10.1111/j.1539-6924.2010.01478.x?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Spence, Michael & Zeckhauser, Richard, 1971. "Insurance, Information, and Individual Action," American Economic Review, American Economic Association, vol. 61(2), pages 380-387, May.
    2. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    3. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    4. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    5. Bengt Holmstrom, 1982. "Moral Hazard in Teams," Bell Journal of Economics, The RAND Corporation, vol. 13(2), pages 324-340, Autumn.
    6. Michael Rothschild & Joseph Stiglitz, 1976. "Equilibrium in Competitive Insurance Markets: An Essay on the Economics of Imperfect Information," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 90(4), pages 629-649.
    7. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    8. Steven Shavell, 1979. "On Moral Hazard and Insurance," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 93(4), pages 541-562.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Eling, Martin & Jung, Kwangmin, 2018. "Copula approaches for modeling cross-sectional dependence of data breach losses," Insurance: Mathematics and Economics, Elsevier, vol. 82(C), pages 167-180.
    2. Arunabha Mukhopadhyay & Samir Chatterjee & Kallol K. Bagchi & Peteer J. Kirs & Girja K. Shukla, 2019. "Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance," Information Systems Frontiers, Springer, vol. 21(5), pages 997-1018, October.
    3. Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.
    4. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    5. Chiara Crovini & Giovanni Ossola & Pier Luigi Marchini, 2018. "Cyber Risk. The New Enemy for Risk Management in the Age of Globalisation," MANAGEMENT CONTROL, FrancoAngeli Editore, vol. 2018(2 Suppl.), pages 135-155.
    6. Alberto Sardi & Alessandro Rizzi & Enrico Sorano & Anna Guerrieri, 2021. "Cyber Risk in Health Facilities: A Systematic Literature Review," Papers 2102.04093, arXiv.org.
    7. Spencer Wheatley & Annette Hofmann & Didier Sornette, 2021. "Addressing insurance of data breach cyber risks in the catastrophe framework," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 46(1), pages 53-78, January.
    8. Alberto Sardi & Alessandro Rizzi & Enrico Sorano & Anna Guerrieri, 2020. "Cyber Risk in Health Facilities: A Systematic Literature Review," Sustainability, MDPI, vol. 12(17), pages 1-16, August.
    9. Eling, Martin & Wirfs, Jan Hendrik, 2016. "Cyber Risk: Too Big to Insure? Risk Transfer Options for a mercurial risk class," I.VW HSG Schriftenreihe, University of St.Gallen, Institute of Insurance Economics (I.VW-HSG), volume 59, number 59.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Hausken, Kjell, 2008. "Strategic defense and attack for series and parallel reliability systems," European Journal of Operational Research, Elsevier, vol. 186(2), pages 856-881, April.
    2. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    3. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    4. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    5. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    6. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    7. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    8. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    9. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    10. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    11. Masoud, Najeb & Al-Utaibi, Ghassan, 2022. "The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence," Research in Economics, Elsevier, vol. 76(2), pages 131-140.
    12. Meilin He & Laura Devine & Jun Zhuang, 2018. "Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 215-225, February.
    13. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    14. Dionne, Georges & Harrington, Scott, 2017. "Insurance and Insurance Markets," Working Papers 17-2, HEC Montreal, Canada Research Chair in Risk Management.
    15. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    16. Biener, Christian & Eling, Martin & Landmann, Andreas & Pradhan, Shailee, 2018. "Can group incentives alleviate moral hazard? The role of pro-social preferences," European Economic Review, Elsevier, vol. 101(C), pages 230-249.
    17. Henri Loubergé, 1998. "Risk and Insurance Economics 25 Years After," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 23(4), pages 540-567, October.
    18. Stewart, Jay, 1994. "The Welfare Implications of Moral Hazard and Adverse Selection in Competitive Insurance Markets," Economic Inquiry, Western Economic Association International, vol. 32(2), pages 193-208, April.
    19. Dongyuan Zhan & Amy R. Ward, 2019. "Staffing, Routing, and Payment to Trade off Speed and Quality in Large Service Systems," Operations Research, INFORMS, vol. 67(6), pages 1738-1751, November.
    20. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:31:y:2011:i:3:p:497-512. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.