Skip to main content
SpringerLink
Log in

Individual Career Versus Corporate Security: A Simulation of CSO Investment Choices

  • Chapter
  • First Online:
Cyberdefense

Part of the book series: International Series in Operations Research & Management Science ((ISOR,volume 342))

  • 175 Accesses

Abstract

For corporate security officers (CSOs), investment decisions about IT security are more challenging than microeconomic models would suggest. Large budgets are not necessarily associated with effective corporate protection, whereas cybersecurity breaches negatively affect individual career prospects irrespective of prior investments. In this chapter we build on the Gordon-Loeb model to develop a recursive model which simulates investment dynamics, CSO reputation and inter-firm migration as well as cyberdefense effectiveness. We argue that a positive (negative) dynamic should exist between high (low) CSO reputation and effective corporate protection, and we simulate this hypothesized relationship by a Monte Carlo process which uses data from real cybersecurity breaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Allianz Global Corporate and Specialty. (2022). Allianz risk barometer 2022. https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html

  2. Anderson, R. (2001). Why information security is hard - an economic perspective. In IEEE 17th annual computer security applications conference (pp. 358–365).

    Google Scholar 

  3. Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610–613.

    Article  Google Scholar 

  4. Anderson, R., & Moore, T. (2007). Information security economics - and beyond. In A. Menezes (Ed.), Lecture notes in computer science (Vol. 4622, pp. 68–91). Berlin, Heidelberg: Springer.

    Google Scholar 

  5. Ashford, S., Rothbard, N., Piderit, S., & Dutton, J. (1998). Out on a limb: The role of context and impression management in selling gender-equity issues. Administrative Science Quartery, 43, 23–57.

    Article  Google Scholar 

  6. Bishop, M. (2007). About penetration testing. IEEE Security Privacy, 5(6), 84–87.

    Article  Google Scholar 

  7. Blakley, B., McDermott, E., & Geer, D (2001) Information security is information risk management. In Proceedings of the 2001 workshop on new security paradigms (pp. 97–104).

    Google Scholar 

  8. Böhme, R. (2010). Security metrics and security investment models. Lecture Notes in Computer Science. In I. Echizen, N. Kunihiro, & R. Sasaki (Eds.), Advances in information and computer security (Vol. 6434, pp. 10–24). Berlin, Heidelberg: Springer.

    Google Scholar 

  9. Böhme, R. (2012). Security audits revisited. In A. D. Keromytis (Ed.), Financial cryptography and data security (pp. 129–147). Berlin, Heidelberg: Springer.

    Chapter  Google Scholar 

  10. Böhme, R., & Félegyházi, M. (2010). Optimal information security investment with penetration testing. In A. Alpcan, L. Buttyán, & J. S. Baras (Eds.), Decision and game theory for security. Lecture notes in computer science (Vol. 6442, pp. 21–37). Berlin, Heidelberg: Springer.

    Google Scholar 

  11. Brecht, M., & Nowey, T. (2013). A closer look at information security costs. In Böhme R (Ed.), The economics of information security and privacy (pp. 3–24).

    Google Scholar 

  12. Columbus, L. (2020). The 2020 roundup of cybersecurity forecasts and market estimates. Forbes, April 5, 2020.

    Google Scholar 

  13. Damodaran, A. (2015). Historical returns on stocks, bonds and bills: 1928–2021. https://pages.stern.nyu.edu/~adamodar/New_Home_Page/datafile/histretSP.html

  14. Dennis, B., & Patil, G. P. (2018). Applications in ecology. In E. L. Crow & K. Shimizu (Eds.), Lognormal distributions: Theory and applications (pp. 303–330). Oxfordshire: Routledge.

    Chapter  Google Scholar 

  15. ECSO European Cyber Security Organisation. (2021). A taxonomy for the European cybersecurity market: Facilitating the market defragmentation. Brussels.

    Google Scholar 

  16. Edwards, B., Hofmeyr, S., & Forrest, S. (2016). Hype and heavy tails: A closer look at data breaches. Journal of Cybersecurity, 2(1), 3–14.

    Article  Google Scholar 

  17. Gioia, D. A., & Sims, H. P. (1983). Perceptions of managerial power as a consequence of managerial behavior and reputation. Journal of Management, 9(1), 7–26.

    Article  Google Scholar 

  18. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.

    Article  Google Scholar 

  19. Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). Externalities and the magnitude of cyber security underinvestment by private sector firms: A modification of the Gordon-Loeb model. Journal of Information Security, 6(1), 24–30.

    Article  Google Scholar 

  20. Maillart, T., & Sornette, D. (2010). Heavy-tailed distribution of cyber-risks. The European Physical Journal B, 75(3), 357–364.

    Article  Google Scholar 

  21. Martin, B. (2019). Three benchmarks to inform cyber security spending plans for 2020. https://insights.integrity360.com/security-spending

  22. Mui, L., Mohtashemi, M., & Halberstadt, A. (2002). A computational model of trust and reputation. In Proceedings of the 35th annual Hawaii international conference on system sciences (pp. 2431–2439).

    Google Scholar 

  23. Oltsik, J. (2019). The life and times of cybersecurity professionals 2018. Research report, The ESG Group Inc.

    Google Scholar 

  24. Ramsey, D. (2022). Can you really get a 12% return on your investments? https://www.ramseysolutions.com/retirement/the-12-reality

  25. RMON Networks. (2020). Do you update your firewall every quarter, or ever? Did you know this should be done daily? https://rmonnetworks.com/do-you-update-your-firewall-every-quarter-or-ever-did-you-know-this-should-be-done-daily/

  26. Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121–135.

    Google Scholar 

  27. SonicWall. (2022). Product lifecycle tables. https://www.sonicwall.com/support/product-lifecycle-tables/

  28. Watson, A., & Wooldridge, B. (2005). Business unit manager influence on corporate-level strategy formulation. Journal of Managerial Issues, 17(2), 147–161.

    Google Scholar 

  29. Winkler, S., & Proschinger, C. (2009). Collaborative penetration testing. 9. Internationale Tagung Wirtschaftsinformatik, 1, 793–802.

    Google Scholar 

  30. Wirth, A. (2019). Reviewing today’s cyberthreat landscape. Biomedical Instrumentation and Technology, 53(3), 227–231.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. D-MTEC, Swiss Federal Institute of Technology Zurich, Zurich, Switzerland

    David Baschung

  2. Military Academy at the Swiss Federal Institute of Technology Zurich, Birmensdorf, Switzerland

    Sébastien Gillard & Marcus M. Keupp

  3. Hemotune AG, Zurich, Switzerland

    Jean-Claude Metzger

Authors
  1. David Baschung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sébastien Gillard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Claude Metzger
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marcus M. Keupp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Baschung .

Editor information

Editors and Affiliations

  1. Department Head, Department of Defense Economics, Military Academy at the Swiss Federal Institute of Technology, Zurich, Switzerland

    Marcus Matthias Keupp

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Baschung, D., Gillard, S., Metzger, JC., Keupp, M.M. (2023). Individual Career Versus Corporate Security: A Simulation of CSO Investment Choices. In: Keupp, M.M. (eds) Cyberdefense. International Series in Operations Research & Management Science, vol 342. Springer, Cham. https://doi.org/10.1007/978-3-031-30191-9_11

Download citation

Publish with us

Policies and ethics

Search

Navigation