An economic analysis of the optimal information security investment in the case of a risk-averse firm

Abstract

This paper presents an analysis of information security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utility theory, we find that for a risk-averse decision maker, the maximum security investment increases with, but never exceeds, the potential loss from a security breach, and there exists a minimum potential loss below which the optimal investment is zero. Our model also shows that the investment in information security does not necessarily increase with increasing level of risk aversion of the decision maker. Relationships between vulnerability and investment effectiveness and two broad classes of security breach probability functions are examined, leading to interesting insights that can be used as guidelines for managers to determine the optimal level of security investment for certain types of security threats faced by risk-averse firms. Future research directions are discussed based on the limitations and possible extensions of this study.