IDEAS home Printed from https://ideas.repec.org/p/bca/bocawp/22-32.html
   My bibliography  Save this paper

Cyber Risk and Security Investment

Author

Listed:
  • Toni Ahnert
  • Michael Brolley
  • David Cimon
  • Ryan Riordan

Abstract

We develop a model in which firms invest in cybersecurity to protect themselves and their clients from cyber attacks. Since cyber security investment is unobservable, firms may signal their investment to attract clients. In equilibrium, firms under-invest in cyber security. We derive testable implications for the modality of cyber attacks, the probability of a successful attack, and client fees. To improve efficiency, a regulator can impose a minimum level of security investment or legislate consumer protection that shifts the burden of cyber attacks from clients to firms. Both regulations induce firms to invest the constrained-efficient amount in cyber security.

Suggested Citation

  • Toni Ahnert & Michael Brolley & David Cimon & Ryan Riordan, 2022. "Cyber Risk and Security Investment," Staff Working Papers 22-32, Bank of Canada.
  • Handle: RePEc:bca:bocawp:22-32
    as

    Download full text from publisher

    File URL: https://www.bankofcanada.ca/wp-content/uploads/2022/07/swp2022-32.pdf
    File Function: Full text
    Download Restriction: no
    ---><---

    Other versions of this item:

    References listed on IDEAS

    as
    1. Britta Hoyer & Kris De Jaegher, 2016. "Strategic Network Disruption and Defense," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 18(5), pages 802-830, October.
    2. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    3. Gary S. Becker, 1974. "Crime and Punishment: An Economic Approach," NBER Chapters, in: Essays in the Economics of Crime and Punishment, pages 1-54, National Bureau of Economic Research, Inc.
    4. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    5. Dan Kovenock & Brian Roberson, 2018. "The Optimal Defense Of Networks Of Targets," Economic Inquiry, Western Economic Association International, vol. 56(4), pages 2195-2211, October.
    6. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    7. Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    8. Antonis Kotidis & Stacey L. Schreft, 2022. "Cyberattacks and Financial Stability: Evidence from a Natural Experiment," Finance and Economics Discussion Series 2022-025, Board of Governors of the Federal Reserve System (U.S.).
    9. Kamiya, Shinichi & Kang, Jun-Koo & Kim, Jungmin & Milidonis, Andreas & Stulz, René M., 2021. "Risk management, firm reputation, and the impact of successful cyberattacks on target firms," Journal of Financial Economics, Elsevier, vol. 139(3), pages 719-749.
    10. Claudia Biancotti, 2017. "The price of cyber (in)security: evidence from the Italian private sector," Questioni di Economia e Finanza (Occasional Papers) 407, Bank of Italy, Economic Research and International Relations Area.
    11. Dziubiński, Marcin & Goyal, Sanjeev, 2013. "Network design and defence," Games and Economic Behavior, Elsevier, vol. 79(C), pages 30-43.
    12. Sean Foley & Jonathan R Karlsen & Tālis J Putniņš, 2019. "Sex, Drugs, and Bitcoin: How Much Illegal Activity Is Financed through Cryptocurrencies?," The Review of Financial Studies, Society for Financial Studies, vol. 32(5), pages 1798-1853.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Anna Cartwright & Edward Cartwright & Jamie MacColl & Gareth Mott & Sarah Turner & James Sullivan & Jason R. C. Nurse, 2023. "How cyber insurance influences the ransomware payment decision: theory and evidence," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 300-331, April.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Dan Kovenock & Brian Roberson, 2018. "The Optimal Defense Of Networks Of Targets," Economic Inquiry, Western Economic Association International, vol. 56(4), pages 2195-2211, October.
    2. Daniel Woods & Mustafa Abdallah & Saurabh Bagchi & Shreyas Sundaram & Timothy Cason, 2022. "Network defense and behavioral biases: an experimental study," Experimental Economics, Springer;Economic Science Association, vol. 25(1), pages 254-286, February.
    3. Bravard, Christophe & Charroin, Liza & Touati, Corinne, 2017. "Optimal design and defense of networks under link attacks," Journal of Mathematical Economics, Elsevier, vol. 68(C), pages 62-79.
    4. Britta Hoyer & Kris De Jaegher, 2023. "Network disruption and the common-enemy effect," International Journal of Game Theory, Springer;Game Theory Society, vol. 52(1), pages 117-155, March.
    5. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    6. Dan Kovenock & Brian Roberson & Roman M. Sheremeta, 2019. "The attack and defense of weakest-link networks," Public Choice, Springer, vol. 179(3), pages 175-194, June.
    7. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    8. Marcin Dziubinski & Sanjeev Goyal, 2014. "How to Defend a Network?," Cambridge Working Papers in Economics 1450, Faculty of Economics, University of Cambridge.
    9. McBride, Michael & Hewitt, David, 2013. "The enemy you can’t see: An investigation of the disruption of dark networks," Journal of Economic Behavior & Organization, Elsevier, vol. 93(C), pages 32-50.
    10. Dziubiński, Marcin Konrad & Goyal, Sanjeev, 2017. "How do you defend a network?," Theoretical Economics, Econometric Society, vol. 12(1), January.
    11. Chang, Jin-Wook & Jayachandran, Kartik & Ramírez, Carlos A. & Tintera, Ali, 2024. "On the anatomy of cyberattacks," Economics Letters, Elsevier, vol. 238(C).
    12. Manxi Wu & Saurabh Amin, 2019. "Securing Infrastructure Facilities: When Does Proactive Defense Help?," Dynamic Games and Applications, Springer, vol. 9(4), pages 984-1025, December.
    13. Kjell Hausken & Jonathan W. Welburn & Jun Zhuang, 2024. "A Review of Attacker–Defender Games and Cyber Security," Games, MDPI, vol. 15(4), pages 1-27, August.
    14. Lars Hornuf & Paul P. Momtaz & Rachel J. Nam & Ye Yuan, 2023. "Cybercrime on the Ethereum Blockchain," CESifo Working Paper Series 10598, CESifo.
    15. Billand, Pascal & Bravard, Christophe & Iyengar, Sitharama S. & Kumar, Rajnish & Sarangi, Sudipta, 2016. "Network connectivity under node failure," Economics Letters, Elsevier, vol. 149(C), pages 164-167.
    16. Bose, Gautam & Konrad, Kai A., 2020. "Devil take the hindmost: Deflecting attacks to other defenders," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    17. Haller, Hans & Hoyer, Britta, 2019. "The common enemy effect under strategic network formation and disruption," Journal of Economic Behavior & Organization, Elsevier, vol. 162(C), pages 146-163.
    18. Rehman, Faiz Ur & Nasir, Muhammad & Shahbaz, Muhammad, 2017. "What have we learned? Assessing the effectiveness of counterterrorism strategies in Pakistan," Economic Modelling, Elsevier, vol. 64(C), pages 487-495.
    19. Nora, Vladyslav & Uno, Hiroshi, 2014. "Saddle functions and robust sets of equilibria," Journal of Economic Theory, Elsevier, vol. 150(C), pages 866-877.
    20. Daniel G. Arce & Dan Kovenock J. & Brian Roberson, 2009. "Suicide Terrorism and the Weakest Link," CESifo Working Paper Series 2753, CESifo.

    More about this item

    Keywords

    Economic models; Financial services; Financial stability; Financial system regulation and policies; Payment clearing and settlement systems;
    All these keywords.

    JEL classification:

    • D78 - Microeconomics - - Analysis of Collective Decision-Making - - - Positive Analysis of Policy Formulation and Implementation
    • D81 - Microeconomics - - Information, Knowledge, and Uncertainty - - - Criteria for Decision-Making under Risk and Uncertainty
    • G18 - Financial Economics - - General Financial Markets - - - Government Policy and Regulation
    • G21 - Financial Economics - - Financial Institutions and Services - - - Banks; Other Depository Institutions; Micro Finance Institutions; Mortgages
    • G23 - Financial Economics - - Financial Institutions and Services - - - Non-bank Financial Institutions; Financial Instruments; Institutional Investors

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bca:bocawp:22-32. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: the person in charge (email available below). General contact details of provider: https://edirc.repec.org/data/bocgvca.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.