Managing Cybersecurity: Data Access & Protection

54 Pages Posted: 11 Dec 2022 Last revised: 24 Mar 2026

See all articles by G Charlson

G Charlson

University of Oxford - Department of Economics; University of Cambridge - Cambridge-INET Institute

Ruslan Momot

University of Michigan, Stephen M. Ross School of Business

Marat Salikhov

New Economic School; SKOLKOVO Moscow School of Management

Oleh Stupak

University of Cambridge

Date Written: December 4, 2022

Abstract

We study how firms should jointly determine data access allocations and cybersecurity protection investments. A firm manages employees with heterogeneous productivities over a continuum of datasets and faces an adversary that may be either strategic (targeting the most exposed employee) or opportunistic (attacking uniformly at random). Our model is a Stackelberg game: the firm first chooses employee-specific data access levels and protection investments, after which the adversary observes these choices and selects a target. We show that the firm’s optimal policy exhibits a threshold structure: each employee is assigned the most valuable datasets up to an employee-specific cutoff. We also show that access and protection are linked through an expansion path that is independent of the adversarial environment. For managers, these findings imply that cybersecurity and organizational data design decisions must be coordinated. As adversarial attacks become stronger, the firm reduces data access, but protection may behave non-monotonically: stronger threats can lead to decreased spending on protection. As the adversary becomes more sophisticated in selecting targets, the firm responds by equalizing breach risk across a progressively wider set of employees, denying the adversary an obvious target. We classify the equilibrium into three regimes---Fully Connected, Partially Interior, and Fully Interior---corresponding to progressively more restrictive access policies. We illustrate the organizational implications of our framework for particular cases of crossing-productivity and generalist-specialist scenarios.

Keywords: cybersecurity strategy, access management, bipartite graphs

JEL Classification: D21, D85, L23, M11, M12, M15, M21, M54

Suggested Citation

Charlson, G and Momot, Ruslan and Salikhov, Marat and Stupak, Oleh, Managing Cybersecurity: Data Access & Protection (December 4, 2022). Available at SSRN: https://ssrn.com/abstract=4293509 or http://dx.doi.org/10.2139/ssrn.4293509

G Charlson

University of Oxford - Department of Economics ( email )

10 Manor Rd
Oxford, OX1 3UQ
United Kingdom

University of Cambridge - Cambridge-INET Institute ( email )

Sidgwick Avenue
Cambridge, CB3 9DD
United Kingdom

Ruslan Momot (Contact Author)

University of Michigan, Stephen M. Ross School of Business ( email )

701 Tappan Street
Ann Arbor, MI MI 48109
United States

HOME PAGE: http://www.ruslanmomot.info

Marat Salikhov

New Economic School ( email )

100A Novaya Street
Moscow, Skolkovo 143026
Russia

HOME PAGE: http://www.nes.ru

SKOLKOVO Moscow School of Management ( email )

1st km of Skolkovo highway
Odintsovsky District
Moscow 115035
Russia

Oleh Stupak

University of Cambridge ( email )

Trinity Ln
Cambridge, CB2 1TN
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
414
Abstract Views
1,600
Rank
179,037
PlumX Metrics