An increasing number of firms rely on highly interconnected information networks. In such environments, defense against cyber attacks is complicated by residual risks caused by the interdependence of information security decisions of firms. IT security is affected not only by a firm's own management strategies but also by those of others. This dissertation investigates the effects of interdependent IT security risks on two widely used security risk management tools - investment in self-protection and cyber insurance. An economic perspective is utilized that permits a systematic exploration of managerial and policy implications of interdependent risk and of possible responses that can help improve information security. This dissertation first demonstrates that the presence of interdependent risks gives rise to different externality problems: investments to defend against targeted attacks such as hacking and distributed denial of service (DDoS) attacks cause negative externalities, whereas protections against untargeted attacks such as viruses, worms, Trojan horses and spyware generate positive externalities. Chapter 3 of the dissertation theoretically explores the effects of interdependent risks on information security risk management strategies - information security investment and the purchase of cyber insurance products. It demonstrates that compared to a situation with independent security risks, the level of the investment in the context of interdependent security risk is not socially efficient. In the presence of targeted attacks, firms overinvest in information security whereas in the presence of untargeted attacks firms underinvest in information security. We also found that, compared to the case of independent security risks, in the presence of positive externalities firms purchase less or equal insurance coverage while in the presence of negative externalities firms purchase equal insurance coverage. We concluded that the adoption of cyber insurance can at least partially solve the overinvestment problem whereas the underinvestment problem becomes more severe.Chapter 4 uses data extracted from the 2007 and 2008 Korean Information Security Surveys to empirically test the hypotheses derived from the theoretical exploration. Although only some of the theoretical findings were tested empirically because of the limitation of the data, the dissertation found evidence that supports some of the findings: compared to firms experiencing untargeted attacks, firms experiencing targeted attacks invest less in information security and purchase less cyber insurance policies.The dissertation is the first theoretical and empirical study linking different types of cyber attacks to information security management decisions. It contributes to the research on cyber security. Moreover, it might help organizations to improve security decisions and governments in formulating policies that lead to better social outcomes.
Read
