# Increasing cybersecurity investments in private sector firms

Save this PDF as:

Size: px
Start display at page:

## Transcription

5 Journal of Cybersecurity, 2015, Vol. 1, No. 1 7 Expansion Path ISOSEC 3 ISOSEC 2 Level of Security Input Y ISOSEC 1 Figure 1. Cybersecurity expansion path. Budget 1 vertical axis measures the amount of a second cybersecurity input (e.g. software quality) or a composite of all other security inputs, denoted as Y, for which we assume the government cannot attain a verifiable measure. The firm s level of cybersecurity is determined by the level of inputs (x; y). As noted above, each ISOSEC curve is the set of all pairs of inputs (x; y) resulting in a given level of cybersecurity and is assumed to be convex to the origin. The budget, B, for expenditures on cybersecurity inputs is the line segment given by the set fðx; yþ j x 0; y 0; and x þ y ¼ Bg: Dotted lines in Fig. 1 represents the budget lines for three budget levels, where B 3 > B 2 > B 1. An efficient firm expands its ex ante cybersecurity level (i.e. decreases the probability of a cybersecurity breach) by selecting a combination of cybersecurity inputs where the budget line is tangent to an ISOSEC curve. The point of tangency is where the marginal benefit (i.e. the marginal increase in the cybersecurity level) of input X equals the marginal benefit of input Y [We have assumed the inputs are measured in a way that one unit of each input cost one dollar. More generally, the point of tangency is where ratio of prices of the cybersecurity inputs equals the marginal rate of technical substitution of the cybersecurity inputs (i.e. the ratio of the marginal benefits of the inputs)]. At that point, the firm reaches the highest ISOSEC for a given budget level. In other words, an efficient firm spends its given budget for cybersecurity activities on the optimal mix of inputs, given the costs of the different outputs. This will map out on the firm s optimal cybersecurity expansion path shown in Fig. 1. If a firm were to take into account externalities, this would not change the firm s expansion path [Taking externalities into account, however, would lead the firm to operate at a higher point on Budget 2 ISOSEC curves combinations of levels of the two cybersecurity inputs that result in the same level of cybersecurity. Budget 3 Level of Security Input X the expansion path. This statement is based on the assumption that externalities are only associated with the occurrence of a cybersecurity breach, and implicitly assumes that there are no externalities (e.g. pollution effects) associated with the use of one or more of the inputs (X and Y)]. Now let us look at Fig. 2, and assume that the firm initially has a budget for cybersecurity expenditures equal to B 1. If the firm were efficient in its allocation of the cybersecurity budget (B 1 ) to inputs X and Y (i.e. the firm knows and uses the optimal mix of X and Y for a budget level of B 1 ), it would select the combination of inputs equal to x 1 and y 1. That is, ðx 1 ; y 1 Þ represents the efficient allocation of B 1, in terms of providing the maximum cybersecurity level of ISOSEC 1. However, suppose that the government wants to raise the level of cybersecurity achieved by this firm to a target cybersecurity level of ISOSEC T. That is, even if it were assumed that the firm is investing the optimal amount to cover its private costs of cybersecurity breaches, the government could believe the firm is not investing enough to cover the externalities associated with such breaches. Notice that this latter argument is independent of the government s ability to measure the exact level of security. To raise the firm s cybersecurity level to ISOSEC T, let us assume the government imposes a regulatory constraint on X of x R (recall that the government can get verifiable data on X). In this article, we focus on the frictionless case where the regulator can enforce input standards without cost. In practice, the regulator could audit a firm s compliance with the standards at a cost, although the audit would be imperfect [If we relax the assumption that the regulator can enforce the standards without costs, then adding compliance to our analysis would require considering the cost of auditing by the

6 8 Journal of Cybersecurity, 2015, Vol. 1, No. 1 Figure 2. Inappropriate regulatory strategies can cause firms to reduce their overall levels of cybersecurity. regulator, the penalties for non-compliance, and the fact that firms take into account the imperfect (i.e. probabilistic) nature of auditing. To the extent that firms take into account imperfect and costly enforcement, compliance would be lessened, as would the actual benefits of such input regulation; note that while enforcement of ex ante standards is imperfect and costly, enforcement of ex post liability rules are also imperfect and costly. Shavell [37] highlights two enforcement problems with liability rules: (i) prosecution is uncertain, and (ii) penalties sufficient to induce optimal behavior may not be feasible because of firms inability to pay such penalties]. However, under this scenario we also assume that the firm is not willing (or cannot afford) to raise its budget to B 2. In other words, we assume the firm s budget is fixed at B 1. The firm would solve this constrained optimization problem by setting X at the x R level and setting Y at the y R level shown in Fig. 2. As shown in Fig. 2, at (x R ; y R ), the cybersecurity level attained would be ISOSEC R, which represents a lower level of cybersecurity than the pre-regulation level of cybersecurity of ISOSEC 1. Thus, with the assumption that the firm remains with its initial cybersecurity budget constraint of B 1, the government regulation actually motivates the firm to decrease its level of cybersecurity. In other words, after complying with the regulation on input X (i.e. x x R ), but not increasing its overall budget for cybersecurity spending (i.e. keeping the budget at B 1 ), the firm is no longer using its inputs in an efficient manner [Suppose the firm responded to the regulation by increasing the cybersecurity budget by (x R x 1 ), so that the new budget equals B 2 in Fig. 2. Then, with the regulation, the firm would select input levels (x R, y 1 ), and achieve the target information security level ISOSEC T. Note, however, that although the cybersecurity level has increased, with the new budget B 2, the firm could further increase its cybersecurity level by using a little less of the regulated input X and increasing the level of the unregulated input Y. Suppose, however, that the firm responded to the regulation by increasing the cybersecurity budget by an amount less than (x R -x 1 ), so that the new budget equals B 0, where B 1 < B 0 < B 2. One can easily verify that there exists a threshold budget level, call it B T, where B 1 < B T < B 2 such that for B 0 < B T, the firm responding to the regulation would select input levels such that the cybersecurity level would be less than the initial level ISOSEC 1 (but greater than ISOSEC R ); and for B 0 > B T, the firm would select input levels such that cybersecurity level would be greater the initial level ISOSEC 1 (but less that than ISOSEC T )]. The above analysis illustrates a case where a regulation on an input to cybersecurity lowers the firm s level of cybersecurity. With some minor changes to the analysis, it is easy to illustrate a situation where a regulation on an input to cybersecurity, without any government subsidy, could possibly increase the firm s level of cybersecurity. For example, if the firm were initially allocating its cybersecurity budget of B 1 inefficiently (i.e. the firm does not know the optimal mix of inputs for a given budget level) and spending x R on X and y R on Y, a government regulation that forced the firm to spend y 1 on Y could possibly move the firm to spend x 1 on X (instead of x R ). In this scenario, the firm s cybersecurity level would move from the ISOSE C R to the ISOSEC 1, given the budget constraint of B 1 (Fig. 2). Now let us return to the assumption that the firm is able to determine the optimal mix of its cybersecurity inputs. Furthermore, we now assume the firm is willing (and able) to raise its cybersecurity budget to keep its cybersecurity expenditures on Y at y 1, after complying with the regulation that the level of input X must be at least x R : At ðx R ; y 1 Þ, with a budget of B 2, the firm would reach the target cybersecurity level of ISOSEC T (Fig. 2).

7 Journal of Cybersecurity, 2015, Vol. 1, No. 1 9 Implications The preceding analysis shows that the potential for government incentives/regulations to increase cybersecurity investments by private sector firms is dependent on the following two fundamental issues: (i) whether or not firms are utilizing the optimal mix of inputs to cybersecurity, and (ii) whether or not firms are able, and willing, to increase their investments in cybersecurity activities. Thus, three general implications are apparent from our input output framework provided above. First, if it were assumed that the total expenditures by firms on cybersecurity activities (i.e. the budget for spending on cybersecurity inputs) are fixed, and that firms are already utilizing the optimal mix of cybersecurity inputs, for different levels of spending on cybersecurity (i.e. firms know the optimal expansion path shown in Fig. 1), government incentives/regulations that encourage changes in the resource allocations among cybersecurity inputs would lower the firms level of cybersecurity. Second, if it were assumed that the total expenditures by firms on cybersecurity activities (i.e. the budget for spending on cybersecurity inputs) are fixed, but that firms are not able to determine the optimal mix of cybersecurity inputs (i.e. organizations do not know their optimal expansion path shown in Fig. 1), government incentives/regulations (e.g. mandatory cybersecurity standards) that encourage changes in resource allocations among cybersecurity inputs could either increase or decrease the level of cybersecurity in firms. In this case, the outcome of such incentives/regulations depends on whether the government could properly identify the source of cybersecurity resource misallocations and, in turn, tailor the regulation on inputs to help rectify the misallocation of resources. If it were assumed that the government could identify the source of cybersecurity resource misallocation, the government incentives/regulations on inputs to cybersecurity could, but not necessarily would, help firms reach a higher level of cybersecurity. The outcome in such a case would depend on whether or not the firm shifted its use of inputs closer to, or further away, from the optimal mix. If the government were not able to identify the aforementioned resource misallocations (which is a more realistic scenario), a more effective approach to having private firms reach a higher level of cybersecurity could be for the government to initiate incentives that would help to educate firms on how to efficiently allocate their resources (e.g. the establishment of training programs that assist firms in applying cost-benefit analysis to cybersecurity activities). Third, if it were assumed that the cybersecurity budget of an organization is not fixed (i.e. relax the firm s initial budget constraint), government incentives/regulations (e.g. mandatory cybersecurity standards, or tax incentives related to specific cybersecurity inputs) that encourage organizations to increase their cybersecurity investments could increase the cybersecurity level of such organizations. Whether or not the firm knows its optimal mix of inputs, a sufficient condition for an increase in a firm s cybersecurity level is that the incentives/regulations would not cause a lowering of the expenditures on one or more cybersecurity inputs. There exist, however, other sufficient conditions such that even if the regulation on one input results in the lowering of expenditures on other inputs, the overall cybersecurity level would increase. If a lowering of the expenditures on some cybersecurity inputs were to occur, then the ultimate result on the cybersecurity level of a firm would be dependent on how the input level changes affect the marginal benefits of inputs [If the actual level of an organization s cybersecurity (i.e. the output of cybersecurity input activities) could be unambiguously measured, then regulation on outputs would likely be the most effective means of addressing externalities]. Formal analysis The above graphical analysis of the inputs and outputs of cybersecurity, and the discussion of its implications, can be presented in a more formal analysis. Let Sx; ð y; vþ denote the firm s cybersecurity breach function, defined as the probability that an cybersecurity breach occurs, where x and y are levels of the two cybersecurity inputs X and Y, and v (0 < v < 1) represents the firm s underlying vulnerability to security breaches, i.e. v ¼ Sð0; 0; vþ. Note that the value of the firm s cybersecurity breach function decreases as the firm moves to a higher ISOSEC curve (i.e. a decrease in a firm s probability of a cybersecurity breach occurring translates into an increase in the firm s level of cybersecurity). Consistent with Fig. 2, we assume that increases in investments in security inputs X and Y would decrease the probability of cybersecurity breach (S) occurring at a decreasing rate, i.e. we y; v S x ¼ ð Þ < y; v S y ¼ ð Þ < 0; S xx Sx; ð y; 2 > 0; (3) S yy Sx; ð y; 2 > 0: (4) If a security breach actually occurs, the firm will suffer a private monetary loss L and other firms, organizations, and individuals will suffer the externality loss denoted as L E. Assume the firm is able to determine the optimal mix of cybersecurity inputs (taking into account only its private costs, L). When making security investment decisions in the absence of regulation (and considering only private costs), the firm would choose cybersecurity expenditure levels of X and Y so that its total expected net benefits from the expenditures (i.e. the reduction in the expected private loss from a cybersecurity breach less the costs of the cybersecurity expenditures) is maximized. Letting (x 1 ; y 1 ) denote the firm s optimal levels of cybersecurity inputs in the absence of regulation, we have (x 1 ; y 1 ) as the solution to the firm s maximization problem [This optimization assumes that the firm s cost-benefit analysis ignores the costs of externalities. Thus, what is referred to as the firm s optimal level is the firm s (private costs) optimal level, not the social welfare optimal]: max x;y ½v Sx; ð y; vþšl x y: Denote S 1 ¼ Sx ð 1 ; y 1 ; vþ; so that, S 1 represents the optimal cybersecurity level that is obtained in the absence of regulation. In the presence of externalities (i.e. L E > 0), however, the firm s level of cybersecurity, S 1, is below the socially optimal level (See [43] for an analysis of the magnitude of a firm s underinvestment caused by ignoring the costs of externalities). We denote the firm s total level of cybersecurity expenditures in the unregulated case as B 1, where B 1 ¼ x 1 þ y 1. Suppose the government wishes to have the firm move to a higher cybersecurity level. If the government (i.e. regulator) could measure and verify the level of both cybersecurity inputs (x and y), the government could mandate that higher level of cybersecurity expenditures by imposing large penalties for firms failing to do so. Recall, however, that the government can get verifiable data only on cybersecurity input X. Hence, the government can only require the firm to increase expenditures on input X and must let the firm

8 10 Journal of Cybersecurity, 2015, Vol. 1, No. 1 decide on the level of cybersecurity input Y. In the following analysis, we will examine the cybersecurity levels under such a government regulation under three different scenarios. Scenario 1: The firm is able to determine the optimal mix, but is not willing (or able) to increase the total expenditures on cybersecurity inputs (i.e. the cybersecurity budget is fixed at the current level). For this scenario, the government requires the firm to spend at least x R on input X, where x R is greater than the initial unregulated level, x 1 and the firm is assumed to have to choose inputs levels (x ; y R ) such x þ y R ¼ B 1 (i.e. the total cybersecurity expenditures remain at the unregulated optimal amount). Formally stated, (x ; y R ) solves the firm s following maximization problem: max x;y ½v Sx; ð y; vþšl x y s:t: x þ y ¼ B 1 xx R Denote S R ¼ Sx ð ; y R ; vþ as the obtained probability that a cybersecurity breach occurs. Our first proposition compares the post-regulation cybersecurity level S R with the pre-regulation cybersecurity level S 1 and follows directly from the definitions assumptions. A formal proof is presented in Appendix A. Proposition 1 Assume the firm is already determining the optimal mix of cybersecurity inputs ðx 1 ; y 1 Þ and will not change its cybersecurity budget B 1. Under a regulation that mandates more expenditures on only cybersecurity activity X (x x R > x 1 ), the firm would choose to strictly obey the regulation, but would decrease expenditures on activity Y and end up with a higher probability of a cybersecurity breach (recall that a higher probability of a cybersecurity breach occurring results in a lower level of cybersecurity), i.e. and x ¼ x R > x 1 ; y R < y 1 ; S R > S 1 : Scenario 2: The firm is not able to determine the optimal mix, and the cybersecurity budget is fixed (i.e. the firm is not willing or able to increase its expenditures on cybersecurity inputs). For this scenario, assume before the regulation takes place, the firm s cybersecurity inputs are ðx 0 ; y 0 Þ, which differ from ðx 1 ; y 1 Þ, but are subject to the same budget constraint B 1 (i:e: x 0 þ y 0 ¼ B 1 ). Suppose the regulator mandates that the firm must increase the cybersecurity expenditures on activity X to at least x R > x 0, and the firm chooses to strictly obey the regulation and keep its current budget level the same. Hence, the firm will pick the post-regulation input mix as ðx ¼ x R ; y ¼ B 1 x R Þ. Note that by defining y R ¼ B 1 x R,thefirm s post-regulation input mix would be represented by ðx R ; y R Þ. The following proposition (a formal proof of which appears in Appendix A) states the intuitive result that when the firm is not able to determine the optimal input mix, a regulation that motivates more efficient resource allocation would induce a lower probability of a cybersecurity breach (i.e. a higher cybersecurity level) without imposing higher total cybersecurity budget: Proposition 2 Assume the firm s current cybersecurity input mix ðx 0 ; y 0 Þ is different from the optimal mix ðx 1 ; y 1 Þ but under the same budget constraint B 1. A regulation that requires higher expenditures on x ðx x R > x 0 Þ would decrease the firm s probability of a cybersecurity breach (i.e. increase the firm s cybersecurity level) if it moves the input mix toward the optimal mix, and increase the firm s probability of a cybersecurity breach (i.e. decrease the firm s cybersecurity level) if it moves the input mix away from the optimal mix. Scenario 3A: The firm may or may not be able to determine the optimal input mix but responds to the government regulation on a single cybersecurity input without lowering expenditures on other inputs. (Thus, the firm is willing and able to increase it cybersecurity budget). For this scenario, assume prior to the introduction of the government regulation, the firm s cybersecurity inputs are ðx P ; y P Þ, which may, or may not, differ from the optimal unregulated input mix ðx 1 ; y 1 Þ.Let ðx A ; y A Þ be the firm s input mix after the regulation. The government regulation requires the firm to spend at least x R > x P on X, so that regulation can be stated as x A x R > x P : For this scenario, the firm s cybersecurity level will increase, as will the firm s budget tor cybersecurity inputs. This observation is stated formally in the next proposition and the (straightforward) proof appears in the Appendix A. Proposition 3 Assume the firm s current cybersecurity input mix is x P ; y p and the firm meets the government regulation that x A x R > x P without decreasing its expenditures on input Y. Then the firm s cybersecurity level will increase (i.e. the firm s probability of a cybersecurity breach will decrease) and the firm s budget for cybersecurity inputs will also increase. Scenario 3B: The firm is able to determine the optimal mix and is willing (and able) to increase its cybersecurity budget so as to accommodate the government regulation. We now move to the case where the firm is able to determine the optimal cybersecurity input mix and is willing and able to increase its cybersecurity budget in light of the government regulatory requirement. Note that in this scenario, we have removed the restriction that other cybersecurity inputs will not be lowered. Before the regulation takes effect, the firm was at its unregulated optimal input mix ðx 1 ; y 1 Þ. The regulation begins and mandates the firm to increase its cybersecurity expenditures on input X to at least x R > x 1. Denote (^x; ^y) as the firm s optimal levels of cybersecurity inputs under regulation, i.e. (bx; by) solves the firm s following optimization problem: max x;y ½v Sx; ð y; vþšl x y s:t: x x R ; where x R > x 1 : Denote ^S ¼ Sð^x; ^y; vþ (i.e. ^S represents the probability that a cybersecurity breach occurs under regulation) and define ^B ¼ ^x þ ^y as the total level of cybersecurity expenditures for the regulated case. The constraint x x R must be binding [This can be shown by first assuming that ^x > x R. This means that ð^x; ^yþis a solution to max x;y ½v Sx; ð y; vþšl x y without the constraint, i.e. ð^x; ^y Þ ¼ ðx 1 ; y 1 Þ, which contradicts the assumption that to ^x > x R > x 1. Hence, x x R is a binding constraint]. Hence we have ^x ¼ x R. In the next two propositions, we provide two sufficient conditions for the government regulation to result in a decrease in the probability of a cybersecurity breach. The first sufficient condition is that the cybersecurity inputs X and Y are weakly complementary over the interval ½x 1 ; x R Š, in the sense that an increase in x will not decrease the marginal benefit of an increase in y [Our use of the term weakly complementary is in the spirit of the discussion on production inputs in Ferguson (1969, p. 71)]. Formally, we assume S xy ¼ o2 Sx;y;v ð Þ oxoy 0.

9 Journal of Cybersecurity, 2015, Vol. 1, No Proposition 4 If the firm is able to determine the optimal input mix and adjust the cybersecurity expenditure budget, and if X and Y are weakly complementary inputs over interval ½x 1 ; x R Š, then the regulation would result in a lower probability of a cybersecurity breach occurring (i.e. when S xy 0, we have Sð^x; ^y; vþ < Sx ð 1 ; y 1 ; vþ). In addition, ^x þ ^y > x 1 þ y 1 (i.e, it is optimal for the firm to increase it cybersecurity budget). (See Appendix A for the formal proof.) We now examine the case where X and Y are not weakly complementary inputs. In that case, S xy > 0, and the inputs are said to be competitive in the sense that the marginal benefit of input Y declines when the input X increases. In this case, whether the regulation would induce a lower probability of a cybersecurity breach occurring is ambiguous. The firm is mandated to spend more on input X but would at the same time reduce expenditures on input Y (This can be proved in a similar fashion as Proposition 4), since the marginal benefit from input Y is now smaller. As a result, the decrease in the probability of a cybersecurity breach occurring from more spending on input X could be partly or even more than offset by the increase in the probability of a breach occurring due to less spending on input Y. Figure 3 illustrates how the optimal post-regulation expenditures ^y varies as the sign of S xy changes. Since ^x > x R is binding, the optimal post-regulation input mix is always on the vertical solid line at ^x ¼ x R. Comparing with the pre-regulation expenditures on input Y, the firm will invest more ^y if S xy < 0, invest the same if S xy ¼ 0, and invest less if S xy > 0. Note that the optimal post-regulation input mix could be either above or below the pre-regulation cybersecurity ISOSEC curve. In our next proposition, the formal proof of which appears in Appendix A, we provide another sufficient condition for the postregulation probability of a cybersecurity breach occurring to be lower than the pre-regulation probability. The following sufficient condition restates how the optimal y changes with changes in x. Proposition 5 If Sx < Sxy over interval ½ x 1; x Sy Syy R Š, it follows that Sð^x; ^y; vþ < Sx ð 1 ; y 1 ; vþ: Figures 4 and 5 summarize our analysis for Scenario 3B, i.e. when the firm is able to determine the optimal input mix and optimally adjusts the cybersecurity expenditure budget in response to the Figure 3. Optimal post-regulation expenditures on input Y. Figure 4. Region for higher post-regulation cybersecurity level. Figure 5. Region where the optimal post-regulation expenditures on input Y decreases and cybersecurity level increases. regulation. A regulation that increases expenditure on activity X from x 1 to at least x R would induce the firm to strictly obey the regulation and set ^x ¼ x R. The post-regulation input Y, however, may move along the vertical line at x ¼ x R.InFigure 4, the solid vertical line at ^x ¼ x R represents the region where the regulation will lower the probability of a cybersecurity breach (i.e. increase the cybersecurity level). Any breach probability functions that satisfy our sufficient condition Sx < Sxy would have post-regulation input mix falling into this region. Sy Syy When X and Y are weakly complementary inputs, the firm would choose not to decrease input Y and the total cybersecurity level would increase. When X and Y are competitive inputs, the firm would decrease expenditures on input Y, but as long as the condition Sx < Sxy holds, the post-regulation cybersecurity level would still Sy Syy be higher. In Fig. 5, we combine Figs 3 and 4 to highlight that there is a region where the post-regulation y decreases and the probability of a cybersecurity breach also decreases (i.e. we have a higher cybersecurity level). In other words, a regulation may be able to lower the probability of a cybersecurity breach, even though the regulation results in a lowering of other inputs (i.e. input Y).

13 Journal of Cybersecurity, 2015, Vol. 1, No last two inequalities, we have Sx ð ; y R ; vþ > Sx ð 1 ; y 1 ; vþ. Hence, by the definitions of S R and S 1, we have S R > S 1. Q.E.D. Proof of Proposition 2 With fixed budget B 1, the firm s probability of a cybersecurity breach can be rewritten as Sx; ð B 1 x; vþ, which reaches minimum (highest cybersecurity level) at x ¼ x 1 with the ds x;b1 x;v first-order condition ð Þ dx j x¼x1 ¼ 0 and the second-order condition ds2 ðx;b1 x;vþ > 0 satisfied. This implies that Sx ð dx 2 R ; B 1 x R ; vþ is decreasing in x R on interval ½0; x 1 Š and increasing in x R on interval ½x 1 ; 1Þ. Hence, regulation requirement x ¼ x R will decrease the firm s probability of a cybersecurity breach if it moves the input mix toward ðx 1 ; B 1 x 1 Þ, and increase the firm s probability of a cybersecurity breach if it moves the input mix away from ðx 1 ; B 1 x 1 Þ. Q.E.D. Proof of Proposition 3 After the firm responds to the regulation, the probability of a cybersecurity breach is characterized by S ðx A ; y A ; vþ: Since the firm meets the government regulatory requirement and does not lower its expenditures on Y, we have x A x R > x P and y A y P : Since the security breach function is assumed to be decreasing in X and in Y [see equations (2) and (3)], we have Sx ð A ; y A ; vþ < Sx ð P ; y P ; vþ. That is, the firm s probability of a cybersecurity breach has decreased, which means its cybersecurity level has increased. Since x A > x P and y A y P,we have x A þ y A > x P þ y P (i.e. the firm s cybersecurity budget has increased). Q.E.D. Proof of Proposition 4 We first show that ^y y 1. The pre-regulation optimal mix ðx 1 ; y 1 Þmust satisfy the following first-order conditions: ( S x ðx 1 ; y 1 ; vþl ¼ 1 ða:1þ S y ðx 1 ; y 1 ; vþl ¼ 1 ða:2þ Since x x R is binding, the post regulation optimization problem is to maximize the following Lagrangian function: L¼½v Sx; ð y; vþšl x y þ kðx x R Þ: First-order conditions are as follows: ( S x ðx R ; ^y; vþl ¼ 1 k ða:3þ S y ðx R ; ^y; vþl ¼ 1 ða:4þ From equations (A.4) and (A.2), we have S y ðx R ; ^y; vþ ¼ S y ðx 1 ; y 1 ; vþ. Given x R > x 1, with S xy 0, it follows that S y ðx R ; y 1 ; vþs y ðx 1 ; y 1 ; vþ ¼ S y ðx R ; ^y; vþ. Combined with S yy > 0, we have ^y y 1. Since we also have ^x ¼ x R > x 1, S x < 0; and S y < 0, it follows that Sð^x; ^y; vþ < Sx ð 1 ; y 1 ; vþ. In addition, ^x þ ^y > x 1 þ y 1. Q.E.D. Proof of Proposition 5 Recall that the unregulated probability of a cybersecurity breach occurring was denoted as S 1 ¼ Sx ð 1 ; y 1 ; vþ, and now define y as the level of input Y achieving the same probability of a cybersecurity breach occurring when x ¼ x R, i.e. Sx ð R ; y; vþ ¼Sx ð 1 ; y 1 ; vþ. In other words, input mixes ðx 1 ; y 1 Þ and ðx R ; yþ are on the same ISOSEC curve and yðx R Þ can be described with the slope of dy R dx R ¼ S x S y : ða:5þ Hence, y R ðx R Þ is decreasing in x R with the slope of marginal rate of technical substitution (MRTS) of the security breach function. The firm s optimal post-regulation investment in input ^y can also be viewed as a function of x R, i.e. ^y ðx R Þ and can be described by the taking the total differentiation of the first order condition S y ðx R ; ^y; vþl ¼ 1 (equation (A.4)): So dx y dy ¼ d^y dx R ¼ S xy S yy ; ða:6þ when x R ¼ x 1, ^y ¼ y R ¼ y 1. This means when the regulation requires the firm to spend at least x 1, the firm will choose the optimal mix ðx 1 ; y 1 Þ, and the regulation would not change the probability of a cybersecurity breach (i.e. the cybersecurity level remains the same). When the regulation requires the firm to increase spending on input X, imposing x > x R > x 1, the firm needs to spend at least y R to maintain the pre-regulation cybersecurity level. Therefore, by comparing ^y with y R, we can draw a conclusion on the regulation induced cybersecurity level. When S xy 0, ^y ðx R Þ is weakly increasing in x R, the firm would not decrease spending on input Y, and the firm will always have a higher post regulation security level (i.e. Proposition 4). When S xy > 0, ^y ðx R Þ is decreasing with the slope of Sxy. If ^y ð x RÞ is steeper than Syy the ISOSEC curve ( Sx > Sxy ), the firm would not invest enough Sy Syy to maintain the same cybersecurity level and the regulation would result in lower cybersecurity level; on the other hand, if ^y ðx R Þ is flatter than the ISOSEC curve ( Sx < Sxy ), the firm would Sy Syy invest more than enough to maintain the same cybersecurity level and the regulation would result in higher cybersecurity level. Q.E.D. Proof that generalized version of security breach probability functions from Gordon and Loeb (2002) satisfying Proposition 5. I. For S I v ðx; y; vþ ¼ a1xþ1 ð derivatives: Sx ð Þ b 1 a2yþ1þ b 2 a 1 b S x ¼ 1 v ða 1 x þ 1Þ b1þ1 ða 2 y þ 1Þ b 2 a 2 b S y ¼ 2 v ða 1 x þ 1Þ b 1 ða 2 y þ 1 a 1 a 2 b S xy ¼ 1 b 2 v ða 1 x þ 1Þ b1þ1 ða 2 y þ 1 a 2 2 S yy ¼ b 2ðb 2 þ 1Þv ða 1 x þ 1Þ b 1 ða 2 y þ 1 S xy S x ¼ a 1b 1 ða 2 y þ 1Þ S y a 2 b 2 ða 1 x þ 1Þ, we calculate the following Þ b 2þ1 Þ b 2þ1 Þ b 2þ2 a 1 b ¼ 1 ða 2 y þ 1Þ S yy a 2 ðb 2 þ 1Þða 1 x þ 1Þ S x S y < S xy S yy : The above calculations show that for this class of breach function, < Sxy, which implies the regulation leads to an improved Sy Syy cybersecurity level.

15 Journal of Cybersecurity, 2015, Vol. 1, No Computer Security Institute. 2010/2011 Computer crime and security survey, 2011, available at 324/CSISurvey2010.pdf (25 October 2015, date last accessed). 15. Ernst & Young. Under cyber attack, EY s global information security survey 2013, 2013, available at EY_-_2013_Global_Information_Security_Survey/\$FILE/EY-GISS- Under-cyber-attack.pdf (25 October 2015, date last accessed). 16. PwC, The Global State of Information Security VR Survey 2016, available at (25 October 2015, date last accessed). 17. Campbell K, Gordon LA, Loeb MP. et al. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J Computer Security 2003;11: Hovav A, D arcy J. The impact of denial-of-service attack announcements on the market value of firm. Risk Manag Insurance Rev 2003;6: Hovav A, D arcy J. The impact of virus attack announcements on the market value of firms. Informat Security J A Global Perspect 2004;13: Cavusoglu H, Mishra B, Raghunathan S. The effect of Internet security breach announcements on market value: capital market reactions for breached firms and Internet security developers. Int J Electronic Commerce 2004;9: Acquisti A, Friedman A, Telang R. Is there a cost to privacy breaches? An event study. ICIS 2006 Proceedings 2006; Ishiguro M, Tanaka H, Matsuura K, Murase I. The effect of information security incidents on corporate values in the Japanese stock market. In: International Workshop on the Economics of Securing the Information Infrastructure (WESII) Kannan A, Rees J, Sridhar S. Market reactions to information security breach announcements: an empirical analysis. Int J Electronic Commerce 2007;12: Florêncio D, Herley C. Sex, lies and cyber-crime surveys. In: Schneier B (ed.) Economics of Information Security and Privacy III. New York: Springer, 2013, Gordon LA, Loeb MP. Managing Cybersecurity Resources: A Cost- Benefit Analysis. New York: McGraw-Hill, Dixit AK, Pindyck RS. Investment under Uncertainty. Princeton, NJ: Princeton University Press, Gordon LA, Loeb MP, Lucyshyn W. Information security expenditures and real options: a wait-and-see approach. Computer Security J 2003;19: Gordon LA, Loeb MP, Lucyshyn W, Zhou L. The impact of information sharing on cybersecurity underinvestment: a real options perspective. J Account Public Policy 2015;34: Baryshnikov Y. IT Security Investment and Gordon-Loeb s 1/e Rule. In: WEIS, Varian H. System reliability and free riding. In: Camp LJ, Lewis S (eds), Economics of Information Security. USA: Springer, 2004, Moore T, Anderson R. Internet security. In: M Peitz and J Waldfogel (eds), The Oxford Handbook of the Digital Economy. Oxford University Press, 2012, Groves T, Loeb M. Incentives and public inputs. J Public Economics 1975;4: Anderson R, Böhme R, Clayton R, Moore T. Security economics and European policy. In: Johnson ME (ed.), Managing Information Risk and the Economics of Security. USA: Springer, 2009, Sales NA. Regulating cyber-security. Northwestern Univ L Rev 2013;107: Bauer JM, Van Eeten MJG. Cybersecurity: stakeholder incentives, externalities, and policy options. Telecommun Policy 2009;33: Gyenes R. Voluntary cybersecurity framework is unworkable-government must crack the whip. Pittsburgh J Technol L & Policy 2014;14: Shavell S. A model of the optimal use of liability and safety regulation. Rand J Economics 1984;15: Romanosky S, Telang R, Acquisti A. Do data breach disclosure laws reduce identity theft? J Policy Analysis Manag 2011;30: Gordon LA, Loeb MP, Lucyshyn W. Sharing information on computer systems security: an economic analysis. J Accounting Public Policy 2003); 22: Gal-Or E, Ghose A. The economic incentives for sharing security information. Informat Sys Res 2005;16: Böhme R, Schwartz G. Modeling cyber-insurance: towards a unifying framework. In: Proceedings of the Ninth Workshop on the Economics of Information Security, Available at archive/weis2010/papers/session5/weis2010_boehme.pdf (25 October 2015, date last accessed). 42. Moore T. The economics of cybersecurity: principles and policy options. Int J Crit Infra Protection 2010;3: Gordon LA, Loeb MP, Lucyshyn W, Zhou L. Externalities and the magnitude of cybersecurity underinvestment by private sector firms: a modification of the Gordon-Loeb Model. J Informat Security 2015a. 44. Cropper ML, Oates WE. Environmental economics: a survey. J Econo Literature 1992;30: Camp LJ, Wolfram C. Pricing security. In: Camp LJ, Lewis S (eds), Economics of Information Security. USA: Springer, 2004, Arora A, Telang R, Xu H. Optimal policy for software vulnerability disclosure. Manag Sci 2008;54: Gramm-Leach-Bliley Act, 1999, Public Law , available at (25 October 2015, date last accessed). 48. Thaw D. The efficacy of cybersecurity regulation. Georgia State Univ L R 2013;30: Lewis JA. Securing Cybersecurity for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency. Center for Strategic and International Studies, Washington DC, Gao F, Wu JS, Zimmerman J. Unintended consequences of granting small firms exemptions from securities regulation: evidence from the Sarbanes- Oxley Act. J Account Res 2009;47: Ashbaugh-Skaife, H, Collins DW, Lafond R. The effect of SOX internal control deficiencies on firm risk and cost of equity. J Account Res 2009;47: Li C, Peters GF, Richardson VJ, Watson MW. The consequences of information technology control weaknesses on management information systems: the case of Sarbanes-Oxley internal control reports. MIS Quart 2012); 36: Gordon LA, Wilford A. An analysis of multiple consecutive years of material weaknesses in internal control. Account Rev 2012; 87: Gordon LA, Loeb MP, Lucyshyn W, Sohail T. The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. J Account Public Policy 2006;25: Gordon LA, Loeb MP, Sohail T. Market value of voluntary disclosures concerning information security. MIS Quart 2010;34: Rockefeller J. Letter to the U.S. Senate Chairman, 9 April Available at letter-to-chairman-white.pdf (5 October 2015, date last accessed). 57. Health Insurance Portability and Accountability Act of 1996, Public Law Available at html/plaw-104publ191.htm (25 October 2015, date last accessed). 58. Harvey DW, White A. The impact of computer security regulation on American companies. Texas Weslyan L Rev ;8: California Notice of Security Breach Act, Available at gov/ecrime/databreach/reporting (5 October 2015, date last accessed).

### Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective

Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective Testimony for the House Committee on Homeland Security s Subcommittee on Emerging Threats, Cybersecurity, and Science

### ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY

ECONOMIC ASPECTS OF CYBER/INFORMATION SECURITY Lawrence A. Gordon Ernst & Young Alumni Professor of Managerial Accounting & Information Assurance The Robert H. Smith School of Business University of Maryland

### INVESTING IN CYBERSECURITY:

INVESTING IN CYBERSECURITY: Insights from the Gordon-Loeb Model Lawrence A. Gordon EY Alumni Professor of Managerial Accounting & Information Assurance Affiliate Professor in University of Maryland Institute

### PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS

CYBERSECURITY PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS by Dr. Lawrence A. Gordon (Lgordon@rhsmith.umd.edu) EY Professor of Managerial Accounting and Information Assurance Affiliate

### QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and

### S 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.

S 2 ERC Project: A Review of Return on Investment for Cybersecurity Author: Joe Stuntz, MBA EP 14, McDonough School of Business Date: 06 May 2014 Abstract Many organizations are looking at investing in

### Sharing Information on Computer Systems Security: An Economic Analysis

Sharing Information on Computer Systems Security: An Economic Analysis Lawrence A. Gordon Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance The Robert H. Smith School of

### Reducing the Challenges to Making Cybersecurity Investments in the Private Sector

Cyber Security Division 2012 Principal Investigators Meeting TTA: Cyber Economics PI - Dr. Lawrence A. Gordon* (lgordon@rhsmith.umd.edu), (301) 405-4072 Co-PI Dr. Martin P. Loeb* (mloeb@rhsmith.umd.edu),

### Written Testimony of Michael Menapace. Sen. Jerry Moran, Sen. Blumenthal, and other members of the Subcommittee -

Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security Hearing entitled Examining the Evolving Cyber Insurance Marketplace. Thursday, March 19, 2015 Written Testimony of Michael

### Data Communications Company (DCC) price control guidance: process and procedures

Guidance document Contact: Tricia Quinn, Senior Economist Publication date: 27 July 2015 Team: Smarter Metering Email: tricia.quinn@ofgem.gov.uk Overview: The Data and Communications Company (DCC) is required

### Information Security and Risk Management

Information Security and Risk Management by Lawrence D. Bodin Professor Emeritus of Decision and Information Technology Robert H. Smith School of Business University of Maryland College Park, MD 20742

### Credible Discovery, Settlement, and Negative Expected Value Suits

Credible iscovery, Settlement, and Negative Expected Value Suits Warren F. Schwartz Abraham L. Wickelgren Abstract: This paper introduces the option to conduct discovery into a model of settlement bargaining

### ESMT BUSINESS BRIEF. Exploitative Abuses. Lars-Hendrik Röller, ESMT. ESMT No. BB-107-002 ISSN 1866 4024

Business Brief Consolidation Index: Critical Success Factors for Industry Consolidation 1 ESMT No. BB-107-002 ESMT BUSINESS BRIEF Lars-Hendrik Röller, ESMT ISSN 1866 4024 2 Business Brief Consolidation

### Unraveling versus Unraveling: A Memo on Competitive Equilibriums and Trade in Insurance Markets

Unraveling versus Unraveling: A Memo on Competitive Equilibriums and Trade in Insurance Markets Nathaniel Hendren January, 2014 Abstract Both Akerlof (1970) and Rothschild and Stiglitz (1976) show that

### New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial

### Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls ABSTRACT Stefan Laube Department of Information Systems University of Münster Münster Germany StefanLaube@uni-muensterde

### The promise and pitfalls of cyber insurance January 2016

www.pwc.com/us/insurance The promise and pitfalls of cyber insurance January 2016 2 top issues The promise and pitfalls of cyber insurance Cyber insurance is a potentially huge but still largely untapped

### . In this case the leakage effect of tax increases is mitigated because some of the reduction in disposable income would have otherwise been saved.

Chapter 4 Review Questions. Explain how an increase in government spending and an equal increase in lump sum taxes can generate an increase in equilibrium output. Under what conditions will a balanced

### Moral Hazard. Itay Goldstein. Wharton School, University of Pennsylvania

Moral Hazard Itay Goldstein Wharton School, University of Pennsylvania 1 Principal-Agent Problem Basic problem in corporate finance: separation of ownership and control: o The owners of the firm are typically

### The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

### Week 7 - Game Theory and Industrial Organisation

Week 7 - Game Theory and Industrial Organisation The Cournot and Bertrand models are the two basic templates for models of oligopoly; industry structures with a small number of firms. There are a number

### Treasury Department Summary Report to the President on. Cybersecurity Incentives Pursuant to Executive Order 13636

Treasury Department Summary Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636 1 SUMMARY REPORT AND RECOMMENDATIONS The cyber threat to our nation s critical infrastructure

### White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

### Chapter 21: The Discounted Utility Model

Chapter 21: The Discounted Utility Model 21.1: Introduction This is an important chapter in that it introduces, and explores the implications of, an empirically relevant utility function representing intertemporal

### STATEMENT OF MARK A.S. HOUSE OF REPRESENTATIVES

STATEMENT OF MARK A. FORMAN ASSOCIATE DIRECTOR FOR INFORMATION TECHNOLOGY AND ELECTRONIC GOVERNMENT OFFICE OF MANAGEMENT AND BUDGET BEFORE THE COMMITTEE ON GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT

### Let the Pirates Patch? An Economic Analysis of Network Software Security Patch Restrictions

Let the Pirates Patch? An Economic Analysis of Network Software Security Patch Restrictions Terrence August and Tunay I. Tunca Graduate School of Business, Stanford University Stanford, CA, 94305 Extended

### CALIFORNIA POLICY BRIEFING MEMO MOTOR VEHICLE FUEL DIVERSIFICATION

IMPACT OF CALIFORNIA TRANSPORTATION POLICIES ON LONG TERM FUEL DIVERSIFICATION, FUEL PRODUCER MARKET POWER, AND MOTOR VEHICLE FUEL (GASOLINE AND DIESEL) PRICES James Fine, PhD, Senior Economist, Environmental

### Health Economics. University of Linz & Information, health insurance and compulsory coverage. Gerald J. Pruckner. Lecture Notes, Summer Term 2010

Health Economics Information, health insurance and compulsory coverage University of Linz & Gerald J. Pruckner Lecture Notes, Summer Term 2010 Gerald J. Pruckner Information 1 / 19 Asymmetric information

### Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

A MainNerve Whitepaper Overview If you do business in Texas and your organization handles, creates, stores, transmits or has access to electronic patient healthcare information, you need to be mindful

### )LQDQFLDO\$VVXUDQFH,VVXHV RI(QYLURQPHQWDO/LDELOLW\

)LQDQFLDO\$VVXUDQFH,VVXHV RI(QYLURQPHQWDO/LDELOLW\ ([HFXWLYH6XPPDU\ %\ 3URI'U0LFKDHO*)DXUH//0 DQG 0U'DYLG*ULPHDXG Maastricht University and European Centre for Tort and Insurance Law (ECTIL) Final version

### Voluntary Participation in Cyber-insurance Markets

Voluntary Participation in Cyber-insurance Markets Parinaz aghizadeh and Mingyan Liu Abstract The study of cyber-insurance, both as a method for transferring residual cyber-security risks, and as an incentive

### CAPITAL PLANNING GUIDELINES

CAPITAL PLANNING GUIDELINES 1. INTRODUCTION... 2 2. EXTENSION OF EXISTING INFRASTRUCTURE PROJECTS... 2 3. NEW CAPITAL PROJECTS... 2 4. MINIMUM INFORMATION REQUIRED... 3 5. PREPARATORY WORK... 3 5.1 NEEDS

### CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

### THE EFFECT OF SETTLEMENT IN KAPLOW S MULTISTAGE ADJUDICATION

THE EFFECT OF SETTLEMENT IN KAPLOW S MULTISTAGE ADJUDICATION Abraham L. Wickelgren Professor Louis Kaplow s article, Multistage Adjudication, presents an extremely useful framework for thinking about how

### 11.3 BREAK-EVEN ANALYSIS. Fixed and Variable Costs

385 356 PART FOUR Capital Budgeting a large number of NPV estimates that we summarize by calculating the average value and some measure of how spread out the different possibilities are. For example, it

### The Reasonable Person Negligence Standard and Liability Insurance. Vickie Bajtelsmit * Colorado State University

\ins\liab\dlirpr.v3a 06-06-07 The Reasonable Person Negligence Standard and Liability Insurance Vickie Bajtelsmit * Colorado State University Paul Thistle University of Nevada Las Vegas Thistle s research

### NINTH ANNUAL CSI/FBI COMPUTER CRIME AND SECURITY SURVEY. GoCSI.com

NINTH ANNUAL 2004 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY GoCSI.com by Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson The Computer Crime and Security Survey is conducted

### Coordination in Network Security Games

Coordination in Network Security Games Marc Lelarge INRIA - ENS Paris, France Email: marc.lelarge@ens.fr Abstract Malicious softwares or malwares for short have become a major security threat. While originating

### Working Paper No. 51/00 Current Materiality Guidance for Auditors. Thomas E. McKee. Aasmund Eilifsen

Working Paper No. 51/00 Current Materiality Guidance for Auditors By Thomas E. McKee Aasmund Eilifsen SNF-project No. 7844: «Finansregnskap, konkurs og revisjon The project is financed by the Norwegian

### National Cyber Threat Information Sharing. System Strengthening Study

Contemporary Engineering Sciences, Vol. 7, 2014, no. 32, 1755-1761 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ces.2014.411235 National Cyber Threat Information Sharing System Strengthening

### PUBLIC HEALTH OPTOMETRY ECONOMICS. Kevin D. Frick, PhD

Chapter Overview PUBLIC HEALTH OPTOMETRY ECONOMICS Kevin D. Frick, PhD This chapter on public health optometry economics describes the positive and normative uses of economic science. The terms positive

### Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

### Lecture 2. Marginal Functions, Average Functions, Elasticity, the Marginal Principle, and Constrained Optimization

Lecture 2. Marginal Functions, Average Functions, Elasticity, the Marginal Principle, and Constrained Optimization 2.1. Introduction Suppose that an economic relationship can be described by a real-valued

### Can Cyber Insurance Be Linked to Assurance?

SESSION ID: CXO-W03 Can Cyber Insurance Be Linked to Assurance? Larry Clinton President and CEO Internet Security Alliance @ISalliance Dan Reddy Adjunct Faculty: Engineering & Technology Quinsigamond Community

### Commentary: What Do Budget Deficits Do?

Commentary: What Do Budget Deficits Do? Allan H. Meltzer The title of Ball and Mankiw s paper asks: What Do Budget Deficits Do? One answer to that question is a restatement on the pure theory of debt-financed

### Evaluating Costs anti Benefits in Health Care

2 Evaluating Costs anti Benefits in Health Care Contents Introduction...................................................... Definition of CEA/CBA............................................. Importance

### CGI Cyber Risk Advisory and Management Services for Insurers

CGI Cyber Risk Advisory and Management Services for Insurers Minimizing Cyber Risks cgi.com 3 As organizations seek to create value in today s highly interconnected world, they inherently increase their

### Private Sector Cyber Security Investment Strategies: An Empirical Analysis *

Private Sector Cyber Security Investment Strategies: An Empirical Analysis * Brent R. Rowe Technology Economics and Policy RTI International browe@rti.org Michael P. Gallaher Technology Economics and Policy

### An Overview of the Economics of Cybersecurity and Cybersecurity Policy

An Overview of the Economics of Cybersecurity and Cybersecurity Policy Joseph J. Cordes Professor of Economics, Public Policy and Public Administration, and International Affairs Trachtenberg School of

### Why is Insurance Good? An Example Jon Bakija, Williams College (Revised October 2013)

Why is Insurance Good? An Example Jon Bakija, Williams College (Revised October 2013) Introduction The United States government is, to a rough approximation, an insurance company with an army. 1 That is

### Software Anti-piracy and Pricing in a Competitive Environment: a Game Theoretic Analysis

Software Anti-piracy and Pricing in a Competitive Environment: a Game Theoretic Analysis We study a problem of two software firms competing on price in a market where consumers can choose between purchasing

### The Tax Benefits and Revenue Costs of Tax Deferral

The Tax Benefits and Revenue Costs of Tax Deferral Copyright 2012 by the Investment Company Institute. All rights reserved. Suggested citation: Brady, Peter. 2012. The Tax Benefits and Revenue Costs of

### Inflation. Chapter 8. 8.1 Money Supply and Demand

Chapter 8 Inflation This chapter examines the causes and consequences of inflation. Sections 8.1 and 8.2 relate inflation to money supply and demand. Although the presentation differs somewhat from that

### AP Microeconomics Chapter 5 Outline

I. Learning Objectives In this chapter students should learn: A. How to differentiate demand side market failures and supply side market failures. B. The origin of consumer surplus and producer surplus,

### Answers to Text Questions and Problems. Chapter 22. Answers to Review Questions

Answers to Text Questions and Problems Chapter 22 Answers to Review Questions 3. In general, producers of durable goods are affected most by recessions while producers of nondurables (like food) and services

### The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005

The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program March 2005 Legal and Copyright Notice The Chemical Industry Data Exchange (CIDX) is a nonprofit corporation, incorporated in the

### Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013 Sempra Energy s gas and electric utilities collaborate with industry leaders and a wide range of

### CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

### Marginal cost. Average cost. Marginal revenue 10 20 40

Economics 101 Fall 2011 Homework #6 Due: 12/13/2010 in lecture Directions: The homework will be collected in a box before the lecture. Please place your name, TA name and section number on top of the homework

### ECON 312: Oligopolisitic Competition 1. Industrial Organization Oligopolistic Competition

ECON 312: Oligopolisitic Competition 1 Industrial Organization Oligopolistic Competition Both the monopoly and the perfectly competitive market structure has in common is that neither has to concern itself

### THE FUNDAMENTAL THEOREM OF ARBITRAGE PRICING

THE FUNDAMENTAL THEOREM OF ARBITRAGE PRICING 1. Introduction The Black-Scholes theory, which is the main subject of this course and its sequel, is based on the Efficient Market Hypothesis, that arbitrages

### CONSUMER PREFERENCES THE THEORY OF THE CONSUMER

CONSUMER PREFERENCES The underlying foundation of demand, therefore, is a model of how consumers behave. The individual consumer has a set of preferences and values whose determination are outside the

Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

### Chapter 1 INTRODUCTION. 1.1 Background

Chapter 1 INTRODUCTION 1.1 Background This thesis attempts to enhance the body of knowledge regarding quantitative equity (stocks) portfolio selection. A major step in quantitative management of investment

### Rafal Borkowski, Hipoteczna 18/22 m. 8, 91-337 Lodz, POLAND, E-mail: r-borkowski@go2.pl

Rafal Borkowski, Hipoteczna 18/22 m. 8, 91-337 Lodz, POLAND, E-mail: r-borkowski@go2.pl Krzysztof M. Ostaszewski, Actuarial Program Director, Illinois State University, Normal, IL 61790-4520, U.S.A., e-mail:

### FY2015 Annual Report. Towards an Economic Behavioral Science Approach to Cyber Security. Scott Farrow UMBC, farrow@umbc.edu

FY2015 Annual Report Towards an Economic Behavioral Science Approach to Cyber Security Scott Farrow UMBC, farrow@umbc.edu Contents 1. Executive Summary... 1 2. Research and Research Transition Accomplishments...

### 1 Uncertainty and Preferences

In this chapter, we present the theory of consumer preferences on risky outcomes. The theory is then applied to study the demand for insurance. Consider the following story. John wants to mail a package

### Cybersecurity Workshop

Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153

### Equilibrium in Competitive Insurance Markets: An Essay on the Economic of Imperfect Information

Equilibrium in Competitive Insurance Markets: An Essay on the Economic of Imperfect Information By: Michael Rothschild and Joseph Stiglitz Presented by Benjamin S. Barber IV, Xiaoshu Bei, Zhi Chen, Shaiobi

### NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

### Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

### No. 33 February 19, 2013. The President

Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001

### A security analysis of the SecLookOn authentication system

Institut f. Statistik u. Wahrscheinlichkeitstheorie 1040 Wien, Wiedner Hauptstr. 8-10/107 AUSTRIA http://www.statistik.tuwien.ac.at A security analysis of the SecLookOn authentication system K. Grill Forschungsbericht

### CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

October 21, 2015 CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS Cerone F. Cy Sturdivant Managing Consultant csturdivant@bkd.com 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls

### Voluntary Participation in Cyber-insurance Markets

1 Voluntary Participation in Cyber-insurance Markets Parinaz aghizadeh, Mingyan Liu Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, Michigan, 4819-1 Email:

### Response to European Commission inquiry into the European business insurance sector pursuant to Article 17 of Regulation 1/2003

Response to European Commission inquiry into the European business insurance sector pursuant to Article 17 of Regulation 1/2003 Executive summary The ABI believes the Commission is correct to place business

### Improving Cyber Security Risk Management through Collaboration

CTO Corner April 2014 Improving Cyber Security Risk Management through Collaboration Dan Schutzer, Senior Technology Consultant, BITS Back in March 2013, I wrote a CTO Corner on Operational and Cyber Risk

### Computational Finance Options

1 Options 1 1 Options Computational Finance Options An option gives the holder of the option the right, but not the obligation to do something. Conversely, if you sell an option, you may be obliged to

### Demand for Health Insurance

Demand for Health Insurance Demand for Health Insurance is principally derived from the uncertainty or randomness with which illnesses befall individuals. Consequently, the derived demand for health insurance

### ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

ARRA HITECH Stimulus HIPAA Security Compliance Reporter White Paper ARRA HITECH AND ACR2 HIPAA SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems,

### ECONOMIC CONSIDERATIONS FOR COMMUNITY RESILIENCE

ECONOMIC CONSIDERATIONS FOR COMMUNITY RESILIENCE 1. Introduction a. Purpose To identify and briefly describe the ways in which disasters affect the local economy and the way the economy influences the

### 2. Information Economics

2. Information Economics In General Equilibrium Theory all agents had full information regarding any variable of interest (prices, commodities, state of nature, cost function, preferences, etc.) In many

### Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048

Cybersecurity Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP 214.758.1048 Setting expectations Are you susceptible to a data breach? October 7, 2014 Setting expectations Victim Perpetrator

### Five Myths of Active Portfolio Management. P roponents of efficient markets argue that it is impossible

Five Myths of Active Portfolio Management Most active managers are skilled. Jonathan B. Berk 1 This research was supported by a grant from the National Science Foundation. 1 Jonathan B. Berk Haas School

### Insurance as Operational Risk Management Tool

DOI: 10.7763/IPEDR. 2012. V54. 7 Insurance as Operational Risk Management Tool Milan Rippel 1, Lucie Suchankova 2 1 Charles University in Prague, Czech Republic 2 Charles University in Prague, Czech Republic

### MEASURING ECONOMIC IMPACTS OF PROJECTS AND PROGRAMS

Economic Development Research Group April 1997 MEASURING ECONOMIC IMPACTS OF PROJECTS AND PROGRAMS GLEN WEISBROD, ECONOMIC DEVELOPMENT RESEARCH GROUP BURTON WEISBROD, ECONOMICS DEPT., NORTHWESTERN UNIV.

### CYBER SECURITY SPECIALREPORT

CYBER SECURITY SPECIALREPORT 32 The RMA Journal February 2015 Copyright 2015 by RMA INSURANCE IS AN IMPORTANT TOOL IN CYBER RISK MITIGATION Shutterstock, Inc. The time to prepare for a potential cyber

### Risks and uncertainties

Risks and uncertainties Our risk management approach We have a well-established risk management methodology which we use throughout the business to allow us to identify and manage the principal risks that

### The Liquidity Trap and U.S. Interest Rates in the 1930s

The Liquidity Trap and U.S. Interest Rates in the 1930s SHORT SUMMARY Christopher Hanes Department of Economics School of Business University of Mississippi University, MS 38677 (662) 915-5829 chanes@bus.olemiss.edu

### Understanding Data Governance ROI: A Compliance Perspective

A DataFlux White Paper Prepared by: Gwen Thomas Understanding Data Governance ROI: A Compliance Perspective Leader in Data Quality and Data Integration www.dataflux.com 877 846 FLUX International +44 (0)

### Economic background of the Microsoft/Yahoo! case

Economic background of the Microsoft/Yahoo! case Andrea Amelio and Dimitrios Magos ( 1 ) Introduction ( 1 ) This paper offers an economic background for the analysis conducted by the Commission during

### GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,

### EDUCATION AND EXAMINATION COMMITTEE SOCIETY OF ACTUARIES RISK AND INSURANCE. Copyright 2005 by the Society of Actuaries

EDUCATION AND EXAMINATION COMMITTEE OF THE SOCIET OF ACTUARIES RISK AND INSURANCE by Judy Feldman Anderson, FSA and Robert L. Brown, FSA Copyright 25 by the Society of Actuaries The Education and Examination

### State of Security Survey GLOBAL FINDINGS

2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding

Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

### The Elasticity of Taxable Income: A Non-Technical Summary

The Elasticity of Taxable Income: A Non-Technical Summary John Creedy The University of Melbourne Abstract This paper provides a non-technical summary of the concept of the elasticity of taxable income,

### PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM Don Dickinson Phoenix Contact USA P.O. Box 4100 Harrisburg, PA 17111 ABSTRACT Presidential Executive Order 13636 Improving