Abstract
For corporate security officers (CSOs), investment decisions about IT security are more challenging than microeconomic models would suggest. Large budgets are not necessarily associated with effective corporate protection, whereas cybersecurity breaches negatively affect individual career prospects irrespective of prior investments. In this chapter we build on the Gordon-Loeb model to develop a recursive model which simulates investment dynamics, CSO reputation and inter-firm migration as well as cyberdefense effectiveness. We argue that a positive (negative) dynamic should exist between high (low) CSO reputation and effective corporate protection, and we simulate this hypothesized relationship by a Monte Carlo process which uses data from real cybersecurity breaches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Allianz Global Corporate and Specialty. (2022). Allianz risk barometer 2022. https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html
Anderson, R. (2001). Why information security is hard - an economic perspective. In IEEE 17th annual computer security applications conference (pp. 358–365).
Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610–613.
Anderson, R., & Moore, T. (2007). Information security economics - and beyond. In A. Menezes (Ed.), Lecture notes in computer science (Vol. 4622, pp. 68–91). Berlin, Heidelberg: Springer.
Ashford, S., Rothbard, N., Piderit, S., & Dutton, J. (1998). Out on a limb: The role of context and impression management in selling gender-equity issues. Administrative Science Quartery, 43, 23–57.
Bishop, M. (2007). About penetration testing. IEEE Security Privacy, 5(6), 84–87.
Blakley, B., McDermott, E., & Geer, D (2001) Information security is information risk management. In Proceedings of the 2001 workshop on new security paradigms (pp. 97–104).
Böhme, R. (2010). Security metrics and security investment models. Lecture Notes in Computer Science. In I. Echizen, N. Kunihiro, & R. Sasaki (Eds.), Advances in information and computer security (Vol. 6434, pp. 10–24). Berlin, Heidelberg: Springer.
Böhme, R. (2012). Security audits revisited. In A. D. Keromytis (Ed.), Financial cryptography and data security (pp. 129–147). Berlin, Heidelberg: Springer.
Böhme, R., & Félegyházi, M. (2010). Optimal information security investment with penetration testing. In A. Alpcan, L. Buttyán, & J. S. Baras (Eds.), Decision and game theory for security. Lecture notes in computer science (Vol. 6442, pp. 21–37). Berlin, Heidelberg: Springer.
Brecht, M., & Nowey, T. (2013). A closer look at information security costs. In Böhme R (Ed.), The economics of information security and privacy (pp. 3–24).
Columbus, L. (2020). The 2020 roundup of cybersecurity forecasts and market estimates. Forbes, April 5, 2020.
Damodaran, A. (2015). Historical returns on stocks, bonds and bills: 1928–2021. https://pages.stern.nyu.edu/~adamodar/New_Home_Page/datafile/histretSP.html
Dennis, B., & Patil, G. P. (2018). Applications in ecology. In E. L. Crow & K. Shimizu (Eds.), Lognormal distributions: Theory and applications (pp. 303–330). Oxfordshire: Routledge.
ECSO European Cyber Security Organisation. (2021). A taxonomy for the European cybersecurity market: Facilitating the market defragmentation. Brussels.
Edwards, B., Hofmeyr, S., & Forrest, S. (2016). Hype and heavy tails: A closer look at data breaches. Journal of Cybersecurity, 2(1), 3–14.
Gioia, D. A., & Sims, H. P. (1983). Perceptions of managerial power as a consequence of managerial behavior and reputation. Journal of Management, 9(1), 7–26.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.
Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). Externalities and the magnitude of cyber security underinvestment by private sector firms: A modification of the Gordon-Loeb model. Journal of Information Security, 6(1), 24–30.
Maillart, T., & Sornette, D. (2010). Heavy-tailed distribution of cyber-risks. The European Physical Journal B, 75(3), 357–364.
Martin, B. (2019). Three benchmarks to inform cyber security spending plans for 2020. https://insights.integrity360.com/security-spending
Mui, L., Mohtashemi, M., & Halberstadt, A. (2002). A computational model of trust and reputation. In Proceedings of the 35th annual Hawaii international conference on system sciences (pp. 2431–2439).
Oltsik, J. (2019). The life and times of cybersecurity professionals 2018. Research report, The ESG Group Inc.
Ramsey, D. (2022). Can you really get a 12% return on your investments? https://www.ramseysolutions.com/retirement/the-12-reality
RMON Networks. (2020). Do you update your firewall every quarter, or ever? Did you know this should be done daily? https://rmonnetworks.com/do-you-update-your-firewall-every-quarter-or-ever-did-you-know-this-should-be-done-daily/
Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121–135.
SonicWall. (2022). Product lifecycle tables. https://www.sonicwall.com/support/product-lifecycle-tables/
Watson, A., & Wooldridge, B. (2005). Business unit manager influence on corporate-level strategy formulation. Journal of Managerial Issues, 17(2), 147–161.
Winkler, S., & Proschinger, C. (2009). Collaborative penetration testing. 9. Internationale Tagung Wirtschaftsinformatik, 1, 793–802.
Wirth, A. (2019). Reviewing today’s cyberthreat landscape. Biomedical Instrumentation and Technology, 53(3), 227–231.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Baschung, D., Gillard, S., Metzger, JC., Keupp, M.M. (2023). Individual Career Versus Corporate Security: A Simulation of CSO Investment Choices. In: Keupp, M.M. (eds) Cyberdefense. International Series in Operations Research & Management Science, vol 342. Springer, Cham. https://doi.org/10.1007/978-3-031-30191-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-30191-9_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30190-2
Online ISBN: 978-3-031-30191-9
eBook Packages: Business and ManagementBusiness and Management (R0)