Understanding incentives for cybersecurity investments: Development and application of a typology

Abstract

Digitalisation has tremendous benefits while simultaneously elevating cybersecurity to a prominent theme in modern societies. All businesses and organisations need invest in and manage their cybersecurity measures to ensure the continuation of their processes. However, the academic understanding regarding different incentives for these investments are fragmented throughout many different studies and a clear overview of these types of incentives for cybersecurity is lacking. This research aims to fill this deficiency by providing clarity on how incentives can be conceptualised, and what they mean in the context of investing and managing cybersecurity. This article provides a typology of cybersecurity incentives of organisations that can be used by scholars and professionals to understand the (lack of) adoption of cybersecurity measures. The typology is developed on the basis of a literature study encompassing different theoretical perspectives on incentives, and illustrated and further scrutinised with an empirical case about the adoption of secure e-mail standards. We present a typology of six categories of incentives that may explain why organisations are (not) willing to invest in cybersecurity measures: economic-, normative-, historic- and feasibility incentives, network externalities, and the presence of competing cybersecurity issues and solutions. This typology can serve as a starting point for future research to develop a (full) conceptual framework for identifying and understanding incentives for cybersecurity. Furthermore, cybersecurity professionals (e.g. Chief Information Security Officers) and policy makers can use this typology in their work to enhance the cybersecurity of organisations and society.