Cybersecurity has gained prominence in the decision‐making of firms. Due to the increasing occurrences of threats in the cyberspace, investments in cybersecurity have become critical to mitigate the operational disruption of businesses. This paper surveys the theoretical literature on the firms' incentives to invest in cybersecurity. A taxonomy of the existing contributions is provided to frame them in a common reference scheme and a model is developed to encompass such contributions and discuss their main findings. Papers that investigate the investment problem of an isolated firm are distinguished from those that consider interdependent firms. In turn, interdependent cybersecurity is analyzed in three different contexts: (i) firms that operate their business via a common computer network, but are not competitors in the product market; (ii) firms that are competitors in the product market, but run their business using non‐interconnected computer systems; (iii) firms that are competitors and rely on a common computer network. Finally, promising avenues for future research and policy implications are discussed.