Abstract
This paper presents mathematical models for cyber breach probability as function of security spending in protecting a firm’s ICT systems. We derive optimal level of security investment as percentage of value-at-risk. We show that the upper bound of optimal investment can be 1/e, 1/√2π or other percentages of value-at-risk, depending on the cyber breach probability model. We apply the models to derive optimal security budget allocation for protecting ICT systems with multiple areas of vulnerability and multiple data assets. Our analysis highlights the importance of security measures to cover the full spectrum of areas of vulnerability; neglecting one area of vulnerability can render the security investment ineffective and wasteful. Moreover, optimal economic value can be achieved by differential treatment of a firm’s high-value data assets.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
