Investigating security investment impact on firm performance

Bose, Ranjit; Luo, Xin

doi:10.1108/ijaim-04-2014-0026

Cited by 19 publications

(22 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In general, by allocating resources to cybersecurity capabilities, managers can not only effectively reduce potential losses due to cyberattacks, but also improve overall performance of their operations [22]. It remains that the diversion of funds away from profit-making processes and assets reduces cash flow [41]; this issue is exacerbated in small and medium-sized enterprises where there is often little or no additional funding available for cybersecurity [42].…”

Section: Theoretical Backgroundmentioning

confidence: 97%

“…Effective investments in IT [35,36], and in information security in particular [22,[37][38][39][40], have long been topics of interest in both academic and industry circles. In general, by allocating resources to cybersecurity capabilities, managers can not only effectively reduce potential losses due to cyberattacks, but also improve overall performance of their operations [22].…”

Section: Theoretical Backgroundmentioning

confidence: 99%

“…Firstly, the intersection of information security and decisionmaking gives rise to new questions on the effects of decision making in configurations of cybersecurity capabilities in industry, which may vary due to the uncertainty of cyber risk. Researchers have studied cybersecurity investment strategies in general (e.g., see [20][21][22]), in addition to the more specific question of trade-offs between proactive and reactive investment strategies, e.g., [19]; however, individuals' biases and misconceptions regarding proactive and reactive investment decisions receive little attention. Our simulation game experiment allows us to analyze this aspect of cybersecurity capability investment.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

2017

View full text Add to dashboard Cite

Abstract:We developed a simulation game to study how well decision makers understand two fundamental aspects of complexity in cybersecurity: potential delays in building capabilities, and uncertainties in predicting cyber-incidents. Analyzing 1,479 simulation runs, we compared the performances of a group of experienced professionals to an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects. Both groups also exhibited similar errors when dealing with the uncertainty of cyber-incidents. Our findings highlight the importance of training for decision-makers, and lay the groundwork for future research in uncovering mental biases about the complexities of cybersecurity.

show abstract

Section: Theoretical Backgroundmentioning

confidence: 97%

Section: Theoretical Backgroundmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

2017

View full text Add to dashboard Cite

show abstract

“…First, researchers have studied cybersecurity investment strategies in general (e.g., see [18][19][20]), in addition to the more specific question of trade-offs between proactive and reactive…”

Section: Research Contributionsmentioning

confidence: 99%

“…Effective investments in IT [35,36], and in information security in particular [20,[37][38][39][40], have long been topics of interest in both academic and industry circles. In general, by allocating resources to cybersecurity capabilities, managers can not only effectively reduce potential losses due to cyberattacks, but also improve overall performance of their operations [20].…”

Section: Theoretical Backgroundmentioning

confidence: 99%

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Jalali

Siegel

Madnick

2019

The Journal of Strategic Information Systems

View full text Add to dashboard Cite

We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1,479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity. development. albeit inadvertently-introduce new, more subtle vulnerabilities. Research also suggests that attackers in cyberspace are not only rational and motivated by economic incentives [6], but also act strategically in identifying targets and approaches [7]-in other words, "The good guys are getting better, but the bad guys are getting badder faster" [8]. Perhaps there was a time a decade ago when cybersecurity was only a matter of "if" an organization was going to be compromised, but today it has become a question of "when," and "at what level."Despite the proliferation of cyberattack capabilities and their potential implications, many organizations still perform poorly with respect to cybersecurity management. These companies ignore or underestimate cyber risks, or rely solely on generic off-the-shelf cybersecurity solutions. A mere 19% of chief information security officers (CISOs) are confident that their companies can effectively address a cybersecurity incident [9]. In May 2017, the WannaCry ransomware attack-a type of malware that blocks access to computer systems until a ransom is paid-affected companies worldwide, even though a patch for the exploited Windows vulnerabilities had been made available by Microsoft months earlier in March 2017 [10]. As data grows in size and value, the increase of cyber risks and escalation of privacy concerns demand that managers improve their approach to cybersecurity capability development-interventions to build such capabilities typically include improvements to technology already in place, in addition to the purchase of new technology, talent acquisition, and training, among other activities. Research objective and approachThe importance of being proactive in cybersecurity capability development is well understoodit is more cost effective than taking a reactionary approach and reduces failure rates [11].Although many executives and decision-makers are becoming aware of the significance of cybersecurity, a major question remains unanswered: Are experienced managers more proactive than inexperienced individuals in building cybersecurity capabilities? F...

show abstract

Cybersecurity capabilities and cyber-attacks as drivers of investment in cybersecurity systems: A UK survey for 2018 and 2019

Arroyabe¹,

Arranz²,

Arroyabe³

et al. 2023

Computers & Security

View full text Add to dashboard Cite

Investigating security investment impact on firm performance

Cited by 19 publications

References 53 publications

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Cybersecurity capabilities and cyber-attacks as drivers of investment in cybersecurity systems: A UK survey for 2018 and 2019

Contact Info

Product

Resources

About