Mitigation and transfer of information security risk: Investment in financial instruments and technology

Two challenging issues regarding a firm's IT security risk are (i) risk interdependence across firms in a networked world, and (ii) residual risk after technology based mitigations are exhausted. My dissertation investigates these aspects of the IT security problem in two separate essays. Essay-I investigates the investment of a firm, which could transfer IT security risk with the help of a cyber insurance contract. Essay-II investigates IT security (technology) investment of an interconnected/integrated supply chain firm. In essay-I, I integrate the indirect effect of a realized information asset/system breach (which works as an unmitigated background risk for the firm) in the firm's cyber insurance buying decisions. I find that a firm could optimize its investment decision in cyber insurance products by simultaneously exercising available control in secondary loss, and claiming decisions. Depending on the insurer's knowledge/action on these off-contract controls of the insured firm, the cyber insurance market could be in information a/symmetry: which in turn, helps explain the observed underdevelopment of current cyber insurance market from a demand side perspective. In essence, this work brings out the optimal investment strategy of a firm in IT security via the cyber insurance route, and in doing so, provides an explanation why cyber insurance products are unattractive to the IS managers in general.; In essay-II, I analyze interdependent IT security risk of a supply chain firm that arises from: (i) the practice of sharing information assets/systems towards business process integration, and (ii) the use of inter-firm connectivity towards real time information/data transfer. I show that sharing of information assets alone does not entail changes in investment, but interconnectivity alone decreases the firm's IT security investment. However, combined effect of sharing information assets/systems and employing interconnectivity could sway investment in either direction. I also investigate the investment decision of the firm under (i) leader-follower, and (ii) coordinated decision structure, and compare the equilibrium costs of the firm under these situations. This work highlights how past decision on business integration, and adopted structure of decision process affects the IT security health (and costs) of a modern supply chain firm.