IDEAS home Printed from https://ideas.repec.org/a/bla/jecsur/v36y2022i1p157-187.html
   My bibliography  Save this article

Dangerous games: A literature review on cybersecurity investments

Author

Listed:
  • Alessandro Fedele
  • Cristian Roner

Abstract

Cybersecurity has gained prominence in the decision‐making of firms. Due to the increasing occurrences of threats in the cyberspace, investments in cybersecurity have become critical to mitigate the operational disruption of businesses. This paper surveys the theoretical literature on the firms' incentives to invest in cybersecurity. A taxonomy of the existing contributions is provided to frame them in a common reference scheme and a model is developed to encompass such contributions and discuss their main findings. Papers that investigate the investment problem of an isolated firm are distinguished from those that consider interdependent firms. In turn, interdependent cybersecurity is analyzed in three different contexts: (i) firms that operate their business via a common computer network, but are not competitors in the product market; (ii) firms that are competitors in the product market, but run their business using non‐interconnected computer systems; (iii) firms that are competitors and rely on a common computer network. Finally, promising avenues for future research and policy implications are discussed.

Suggested Citation

  • Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
  • Handle: RePEc:bla:jecsur:v:36:y:2022:i:1:p:157-187
    DOI: 10.1111/joes.12456
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/joes.12456
    Download Restriction: no

    File URL: https://libkey.io/10.1111/joes.12456?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    Other versions of this item:

    References listed on IDEAS

    as
    1. Shinichi Kamiya & Jun-Koo Kang & Jungmin Kim & Andreas Milidonis & René M. Stulz, 2018. "What is the Impact of Successful Cyberattacks on Target Firms?," NBER Working Papers 24409, National Bureau of Economic Research, Inc.
    2. Xinbao Liu & Xiaofei Qian & Jun Pei & Panos M. Pardalos, 2018. "Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size," Journal of Global Optimization, Springer, vol. 70(2), pages 413-436, February.
    3. Alfredo Garcia & Barry Horowitz, 2007. "The potential for underinvestment in internet security: implications for regulatory policy," Journal of Regulatory Economics, Springer, vol. 31(1), pages 37-55, February.
    4. Geoffrey Heal & Howard Kunreuther, 2005. "IDS Models of Airline Security," Journal of Conflict Resolution, Peace Science Society (International), vol. 49(2), pages 201-217, April.
    5. Sanjeev Goyal & Adrien Vigier, 2014. "Attack, Defence, and Contagion in Networks," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 81(4), pages 1518-1542.
    6. Arrah-Marie Jo, 2017. "The effect of competition intensity on software security - An empirical analysis of security patch release on the web browser market," Post-Print hal-03098980, HAL.
    7. Kathryn Merrick & Medria Hardhienata & Kamran Shafi & Jiankun Hu, 2016. "A Survey of Game Theoretic Approaches to Modelling Decision-Making in Information Warfare Scenarios," Future Internet, MDPI, vol. 8(3), pages 1-29, July.
    8. Liao, Chun-Hsiung & Chen, Chun-Wei, 2014. "Network externality and incentive to invest in network security," Economic Modelling, Elsevier, vol. 36(C), pages 398-404.
    9. Alfredo Garcia & Yue Sun & Joseph Shen, 2014. "Dynamic Platform Competition with Malicious Users," Dynamic Games and Applications, Springer, vol. 4(3), pages 290-308, September.
    10. Tanaka, Hideyuki & Matsuura, Kanta & Sudoh, Osamu, 2005. "Vulnerability and information security investment: An empirical analysis of e-local government in Japan," Journal of Accounting and Public Policy, Elsevier, vol. 24(1), pages 37-59.
    11. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    12. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    13. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    14. Dziubiński, Marcin Konrad & Goyal, Sanjeev, 2017. "How do you defend a network?," Theoretical Economics, Econometric Society, vol. 12(1), January.
    15. Xiaofei Qian & Jun Pei & Xinbao Liu & Mi Zhou & Panos M. Pardalos, 2019. "Information security decisions for two firms in a market with different types of customers," Journal of Combinatorial Optimization, Springer, vol. 38(4), pages 1263-1285, November.
    16. repec:oup:restud:v:81:y:2014:i:4:p:1518-1542. is not listed on IDEAS
    17. Emanuel Kopp & Lincoln Kaffenberger & Christopher Wilson, 2017. "Cyber Risk, Market Failures, and Financial Stability," IMF Working Papers 2017/185, International Monetary Fund.
    18. Cristian Roner & Claudia Di Caterina & Davide Ferrari, 2021. "Exponential Tilting for Zero-inflated Interval Regression with Applications to Cyber Security Survey Data," BEMPS - Bozen Economics & Management Paper Series BEMPS85, Faculty of Economics and Management at the Free University of Bozen.
    19. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    20. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    21. Kamiya, Shinichi & Kang, Jun-Koo & Kim, Jungmin & Milidonis, Andreas & Stulz, René M., 2021. "Risk management, firm reputation, and the impact of successful cyberattacks on target firms," Journal of Financial Economics, Elsevier, vol. 139(3), pages 719-749.
    22. Derrick Huang, C. & Hu, Qing & Behara, Ravi S., 2008. "An economic analysis of the optimal information security investment in the case of a risk-averse firm," International Journal of Production Economics, Elsevier, vol. 114(2), pages 793-804, August.
    23. Kjell Hausken, 2006. "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, Springer, vol. 8(5), pages 338-349, December.
    24. Anna Nagurney & Ladimer Nagurney, 2015. "A game theory model of cybersecurity investments with information asymmetry," Netnomics, Springer, vol. 16(1), pages 127-148, August.
    25. Dziubiński, Marcin & Goyal, Sanjeev, 2013. "Network design and defence," Games and Economic Behavior, Elsevier, vol. 79(C), pages 30-43.
    26. Dan Geer & Eric Jardine & Eireann Leverett, 2020. "On market concentration and cybersecurity risk," Journal of Cyber Policy, Taylor & Francis Journals, vol. 5(1), pages 9-29, July.
    27. Eli Amir & Shai Levi & Tsafrir Livne, 2018. "Do firms underreport information on cyber-attacks? Evidence from capital markets," Review of Accounting Studies, Springer, vol. 23(3), pages 1177-1206, September.
    28. Jack Hirshleifer, 1983. "From weakest-link to best-shot: The voluntary provision of public goods," Public Choice, Springer, vol. 41(3), pages 371-386, January.
    29. Stefano Comino & Fabio M. Manenti, 2014. "Industrial Organisation of High-Technology Markets," Books, Edward Elgar Publishing, number 15081.
    30. Cerdeiro, Diego A. & Dziubiński, Marcin & Goyal, Sanjeev, 2017. "Individual security, contagion, and network design," Journal of Economic Theory, Elsevier, vol. 170(C), pages 182-226.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    2. Hausken, Kjell, 2024. "Fifty Years of Operations Research in Defense," European Journal of Operational Research, Elsevier, vol. 318(2), pages 355-368.
    3. Dan Kovenock & Brian Roberson, 2018. "The Optimal Defense Of Networks Of Targets," Economic Inquiry, Western Economic Association International, vol. 56(4), pages 2195-2211, October.
    4. Liao, Chun-Hsiung & Chen, Chun-Wei, 2014. "Network externality and incentive to invest in network security," Economic Modelling, Elsevier, vol. 36(C), pages 398-404.
    5. Bloch, Francis & Chatterjee, Kalyan & Dutta, Bhaskar, 2023. "Attack and interception in networks," Theoretical Economics, Econometric Society, vol. 18(4), November.
    6. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    7. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    8. Xiaofei Qian & Jun Pei & Xinbao Liu & Mi Zhou & Panos M. Pardalos, 2019. "Information security decisions for two firms in a market with different types of customers," Journal of Combinatorial Optimization, Springer, vol. 38(4), pages 1263-1285, November.
    9. Daniel Woods & Mustafa Abdallah & Saurabh Bagchi & Shreyas Sundaram & Timothy Cason, 2022. "Network defense and behavioral biases: an experimental study," Experimental Economics, Springer;Economic Science Association, vol. 25(1), pages 254-286, February.
    10. Bloch, Francis & Dutta, Bhaskar & Dziubiński, Marcin, 2020. "A game of hide and seek in networks," Journal of Economic Theory, Elsevier, vol. 190(C).
    11. Britta Hoyer & Kris De Jaegher, 2023. "Network disruption and the common-enemy effect," International Journal of Game Theory, Springer;Game Theory Society, vol. 52(1), pages 117-155, March.
    12. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    13. Aldasoro, Iñaki & Gambacorta, Leonardo & Giudici, Paolo & Leach, Thomas, 2022. "The drivers of cyber risk," Journal of Financial Stability, Elsevier, vol. 60(C).
    14. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    15. Xinbao Liu & Xiaofei Qian & Jun Pei & Panos M. Pardalos, 2018. "Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size," Journal of Global Optimization, Springer, vol. 70(2), pages 413-436, February.
    16. Loic Mar'echal & Alain Mermoud & Dimitri Percia David & Mathias Humbert, 2024. "Measuring the performance of investments in information security startups: An empirical analysis by cybersecurity sectors using Crunchbase data," Papers 2402.04765, arXiv.org, revised Feb 2024.
    17. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    18. Crosignani, Matteo & Macchiavelli, Marco & Silva, André F., 2023. "Pirates without borders: The propagation of cyberattacks through firms’ supply chains," Journal of Financial Economics, Elsevier, vol. 147(2), pages 432-448.
    19. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    20. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.

    More about this item

    JEL classification:

    • L86 - Industrial Organization - - Industry Studies: Services - - - Information and Internet Services; Computer Software
    • M15 - Business Administration and Business Economics; Marketing; Accounting; Personnel Economics - - Business Administration - - - IT Management
    • D81 - Microeconomics - - Information, Knowledge, and Uncertainty - - - Criteria for Decision-Making under Risk and Uncertainty
    • C72 - Mathematical and Quantitative Methods - - Game Theory and Bargaining Theory - - - Noncooperative Games
    • D62 - Microeconomics - - Welfare Economics - - - Externalities

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bla:jecsur:v:36:y:2022:i:1:p:157-187. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: http://www.blackwellpublishing.com/journal.asp?ref=0950-0804 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.