IDEAS home Printed from https://ideas.repec.org/p/cpr/ceprdp/17403.html
   My bibliography  Save this paper

Cyber Risk and Security Investment

Author

Listed:
  • Ahnert, Toni
  • Brolley, Michael
  • Cimon, David
  • Riordan, Ryan

Abstract

We develop a model in which firms invest in cybersecurity to protect themselves and their clients from cyber attacks. Since cyber security investment is unobservable, firms may signal their investment to attract clients. In equilibrium, firms under-invest in cyber security. We derive testable implications for the modality of cyber attacks, the probability of a successful attack, and client fees. To raise efficiency, a regulator can impose a minimum level of security investment or legislate consumer protection that shifts the burden of cyber attacks from clients to firms. Both regulations induce firms to invest the constrained-efficient amount in cyber security.

Suggested Citation

  • Ahnert, Toni & Brolley, Michael & Cimon, David & Riordan, Ryan, 2022. "Cyber Risk and Security Investment," CEPR Discussion Papers 17403, C.E.P.R. Discussion Papers.
    • Handle: RePEc:cpr:ceprdp:17403
    as

    Download full text from publisher

    File URL: https://cepr.org/publications/DP17403
    Download Restriction: CEPR Discussion Papers are free to download for our researchers, subscribers and members. If you fall into one of these categories but have trouble downloading our papers, please contact us at subscribers@cepr.org
    ---><---

    As the access to this document is restricted, you may want to look for a different version below or search for a different version of it.

    Other versions of this item:

    References listed on IDEAS

    as
    1. Britta Hoyer & Kris De Jaegher, 2016. "Strategic Network Disruption and Defense," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 18(5), pages 802-830, October.
    2. Gary S. Becker, 1974. "Crime and Punishment: An Economic Approach," NBER Chapters, in: Essays in the Economics of Crime and Punishment, pages 1-54, National Bureau of Economic Research, Inc.
    3. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    4. Dan Kovenock & Brian Roberson, 2018. "The Optimal Defense Of Networks Of Targets," Economic Inquiry, Western Economic Association International, vol. 56(4), pages 2195-2211, October.
    5. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    6. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    7. Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    8. Antonis Kotidis & Stacey L. Schreft, 2022. "Cyberattacks and Financial Stability: Evidence from a Natural Experiment," Finance and Economics Discussion Series 2022-025, Board of Governors of the Federal Reserve System (U.S.).
    9. Kamiya, Shinichi & Kang, Jun-Koo & Kim, Jungmin & Milidonis, Andreas & Stulz, René M., 2021. "Risk management, firm reputation, and the impact of successful cyberattacks on target firms," Journal of Financial Economics, Elsevier, vol. 139(3), pages 719-749.
    10. Claudia Biancotti, 2017. "The price of cyber (in)security: evidence from the Italian private sector," Questioni di Economia e Finanza (Occasional Papers) 407, Bank of Italy, Economic Research and International Relations Area.
    11. Dziubiński, Marcin & Goyal, Sanjeev, 2013. "Network design and defence," Games and Economic Behavior, Elsevier, vol. 79(C), pages 30-43.
    12. Sean Foley & Jonathan R Karlsen & Tālis J Putniņš, 2019. "Sex, Drugs, and Bitcoin: How Much Illegal Activity Is Financed through Cryptocurrencies?," The Review of Financial Studies, Society for Financial Studies, vol. 32(5), pages 1798-1853.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Anna Cartwright & Edward Cartwright & Jamie MacColl & Gareth Mott & Sarah Turner & James Sullivan & Jason R. C. Nurse, 2023. "How cyber insurance influences the ransomware payment decision: theory and evidence," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 300-331, April.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Dan Kovenock & Brian Roberson, 2018. "The Optimal Defense Of Networks Of Targets," Economic Inquiry, Western Economic Association International, vol. 56(4), pages 2195-2211, October.
    2. Daniel Woods & Mustafa Abdallah & Saurabh Bagchi & Shreyas Sundaram & Timothy Cason, 2022. "Network defense and behavioral biases: an experimental study," Experimental Economics, Springer;Economic Science Association, vol. 25(1), pages 254-286, February.
    3. Bravard, Christophe & Charroin, Liza & Touati, Corinne, 2017. "Optimal design and defense of networks under link attacks," Journal of Mathematical Economics, Elsevier, vol. 68(C), pages 62-79.
    4. Britta Hoyer & Kris De Jaegher, 2023. "Network disruption and the common-enemy effect," International Journal of Game Theory, Springer;Game Theory Society, vol. 52(1), pages 117-155, March.
    5. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    6. Dan Kovenock & Brian Roberson & Roman M. Sheremeta, 2019. "The attack and defense of weakest-link networks," Public Choice, Springer, vol. 179(3), pages 175-194, June.
    7. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    8. Marcin Dziubinski & Sanjeev Goyal, 2014. "How to Defend a Network?," Cambridge Working Papers in Economics 1450, Faculty of Economics, University of Cambridge.
    9. McBride, Michael & Hewitt, David, 2013. "The enemy you can’t see: An investigation of the disruption of dark networks," Journal of Economic Behavior & Organization, Elsevier, vol. 93(C), pages 32-50.
    10. Dziubiński, Marcin Konrad & Goyal, Sanjeev, 2017. "How do you defend a network?," Theoretical Economics, Econometric Society, vol. 12(1), January.
    11. Chang, Jin-Wook & Jayachandran, Kartik & Ramírez, Carlos A. & Tintera, Ali, 2024. "On the anatomy of cyberattacks," Economics Letters, Elsevier, vol. 238(C).
    12. Manxi Wu & Saurabh Amin, 2019. "Securing Infrastructure Facilities: When Does Proactive Defense Help?," Dynamic Games and Applications, Springer, vol. 9(4), pages 984-1025, December.
    13. Kjell Hausken & Jonathan W. Welburn & Jun Zhuang, 2024. "A Review of Attacker–Defender Games and Cyber Security," Games, MDPI, vol. 15(4), pages 1-27, August.
    14. Lars Hornuf & Paul P. Momtaz & Rachel J. Nam & Ye Yuan, 2023. "Cybercrime on the Ethereum Blockchain," CESifo Working Paper Series 10598, CESifo.
    15. Billand, Pascal & Bravard, Christophe & Iyengar, Sitharama S. & Kumar, Rajnish & Sarangi, Sudipta, 2016. "Network connectivity under node failure," Economics Letters, Elsevier, vol. 149(C), pages 164-167.
    16. Bose, Gautam & Konrad, Kai A., 2020. "Devil take the hindmost: Deflecting attacks to other defenders," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    17. Haller, Hans & Hoyer, Britta, 2019. "The common enemy effect under strategic network formation and disruption," Journal of Economic Behavior & Organization, Elsevier, vol. 162(C), pages 146-163.
    18. Rehman, Faiz Ur & Nasir, Muhammad & Shahbaz, Muhammad, 2017. "What have we learned? Assessing the effectiveness of counterterrorism strategies in Pakistan," Economic Modelling, Elsevier, vol. 64(C), pages 487-495.
    19. Nora, Vladyslav & Uno, Hiroshi, 2014. "Saddle functions and robust sets of equilibria," Journal of Economic Theory, Elsevier, vol. 150(C), pages 866-877.
    20. Daniel G. Arce & Dan Kovenock J. & Brian Roberson, 2009. "Suicide Terrorism and the Weakest Link," CESifo Working Paper Series 2753, CESifo.

    More about this item

    Keywords

    Cyber risk; Cyber security; ransomware; cyber security ratings; Regulation; Consumer protection;
    All these keywords.

    JEL classification:

    • G10 - Financial Economics - - General Financial Markets - - - General (includes Measurement and Data)
    • G28 - Financial Economics - - Financial Institutions and Services - - - Government Policy and Regulation

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:cpr:ceprdp:17403. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: the person in charge (email available below). General contact details of provider: https://www.cepr.org .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.