Information security decisions of firms considering security risk interdependency

Abstract

Information security management becomes more challenging nowadays due to the diverse security risk interdependency between firms. Prior researches rarely consider the impact of risk interdependency on security decisions. This paper comprehensively considers two types of security risk interdependency caused by the nature of information assets and the technical similarity. We find that it is necessary to distinguish the complementary and substitutable information assets since they have different effects on the firm’s investment incentive. As for the risk interdependency caused by the nature of the information assets, although both the high complementation degree and high substitution degree inhibit firms’ incentives to invest, the underlying reasons are different. Besides, for another risk interdependency, the technical similarity enhances the investment incentive of the complementary firms but suppresses that of the substitutable firms. Moreover, the free-riding problem is unavoidable when the firm makes security decisions independently. Thus, we propose two efficient mechanisms to coordinate the firm’s investment incentive: the effort-based mechanism and the liability-based mechanism. The effort-based mechanism demands the firm obtain a reward from its cooperative firm according to its security effort level. The liability-based mechanism demands the breached firm take the liability by compensating the non-breached firm. We find that both two mechanisms are efficient, and could guide firms to solve the problem of opportunism and shirking responsibility in practice. Finally, for generality, we extend our model to an asymmetric case and find that most of the results are robust.