Abstract
Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.
Highlights
With economic activity and national defense heavily and increasingly dependent on networked computer systems, cyber security issues continue to draw increasing attention by the media, as well as by executives at the highest levels of government, industry, and nonprofit organizations.1 A key reason for this increasing attention on cyber security issues by governments around the world is the eminent threat posed by cyber security breaches to a nation’s national defense and the nation’s economic strength [2].How to cite this paper: Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model
In order to move towards socially optimal levels of cyber security investments, there is a compelling argument for governments to explore a variety of regulations and/or incentives that are designed to get private sector firms to increase their cyber security investments
The primary objective of this paper has been to extend the GL Model for deriving the optimal level of investment in cyber security activities. This extension focused on examining the impact of considering the costs associated with the externalities of cyber security breaches, in addition to private costs, on a private sector firm’s optimal level of cyber security investment level as viewed from a social welfare perspective
Summary
With economic activity and national defense heavily and increasingly dependent on networked computer systems, cyber security issues continue to draw increasing attention by the media, as well as by executives at the highest levels of government, industry, and nonprofit organizations. A key reason for this increasing attention on cyber security issues by governments around the world is the eminent threat posed by cyber security breaches to a nation’s national defense and the nation’s economic strength [2]. Governments have an interest in providing incentives/regulations to firms to invest in cyber security activities at a level that takes into account the private losses incurred by firms from breaches of cyber security, and the costs of externalities resulting from such beaches.. The objective of this paper is to investigate the magnitude of underinvestment in cyber security activities by a private sector firm that considers only its private costs and benefits without regard to externalities This investigation will take place in the context of the influential Gordon-Loeb Model presented in [1], hereafter referred to as GL Model, for deriving the appropriate level of cyber security investment.. The fourth, and final, section of this paper will present some concluding comments
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
