University of Surrey

Test tubes in the lab Research in the ATI Dance Research

An Options Approach to Cybersecurity Investment

Chronopoulos, M, Panaousis, Emmanouil and Grossklags, J (2017) An Options Approach to Cybersecurity Investment IEEE Access, 6. pp. 12175-12186.

08110826.pdf - Accepted version Manuscript

Download (3MB) | Preview


Cybersecurity has become a key factor that determines the success or failure of companies that rely on information systems. Therefore, investment in cybersecurity is an important financial and operational decision. Typical information technology investments aim to create value, whereas cybersecurity investments aim to minimize loss incurred by cyber attacks. Admittedly, cybersecurity investment has become an increasingly complex one since information systems are typically subject to frequent attacks, whose arrival and impact fluctuate stochastically. Further, cybersecurity measures and improvements, such as patches, become available at random points in time making investment decisions even more challenging. We propose and develop an analytical real options framework that incorporates major components relevant to cybersecurity practice, and analyze how optimal cybersecurity investment decisions perform for a private firm. The novelty of this paper is that it provides analytical solutions that lend themselves to intuitive interpretations regarding the effect of timing and cybersecurity risk on investment behavior using real options theory. Such aspects are frequently not implemented within economic models that support policy initiatives. However, if these are not properly understood, security controls will not be properly set resulting in a dynamic inefficiency reflected in cycles of over or under investment, and, in turn, increased cybersecurity risk following corrective policy actions. Results indicate that greater uncertainty over the cost of cybersecurity attacks raises the value of an embedded option to invest in cybersecurity. This increases the incentive to suspend operations temporarily in order to install a cybersecurity patch that will make the firm more resilient to cybersecurity breaches. Similarly, greater likelihood associated with the availability of a cybersecurity patch increases the value of the option to invest in cybersecurity. However, absence of an embedded investment option increases the incentive to delay the permanent abandonment of the company’s operation due to the irreversible nature of the decision.

Item Type: Article
Divisions : Faculty of Engineering and Physical Sciences > Computing Science
Authors :
Chronopoulos, M
Grossklags, J
Date : 15 November 2017
DOI : 10.1109/ACCESS.2017.2773366
Copyright Disclaimer : Copyright 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.
Uncontrolled Keywords : Cybersecurity, investment analysis, real options.
Depositing User : Melanie Hughes
Date Deposited : 22 Nov 2017 12:24
Last Modified : 16 Jan 2019 19:04

Actions (login required)

View Item View Item


Downloads per month over past year

Information about this web site

© The University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom.
+44 (0)1483 300800