Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors

Abstract

Cyber-security is increasingly seen as an important determinant of firm-specific financial risk. Agency theory suggests that managers and investors have different preferences over such risk because investors can diversity their capital over different firms to reduce firm-specific risk but managers cannot diversify their investment of human capital in their firm. Therefore managers face greater personal cost of financial distress during their limited tenure. We develop an analytical model for optimally allocating investments to general productive assets and specific cyber-security assets incorporating costs of security breaches, borrowing and financial distress. We note that investment in productive assets can generate cash flows that allow the firm to better withstand security threats in the long run but investment in specific security-enhancing assets reduce security breaches in short run while leaving the firm's finances vulnerable over a longer period. Using our model, we show that managers over-invest in specific security-enhancing assets to reduce security breaches during their tenure. We then incorporate cyber-insurance in our model and show that it has the effect of reducing managers' over-investment in specific security-enhancing assets.