Download This PaperManaging Cybersecurity: Data Access & Protection
54 Pages Posted: 11 Dec 2022 Last revised: 24 Mar 2026
Date Written: December 4, 2022
Abstract
We study how firms should jointly determine data access allocations and cybersecurity protection investments. A firm manages employees with heterogeneous productivities over a continuum of datasets and faces an adversary that may be either strategic (targeting the most exposed employee) or opportunistic (attacking uniformly at random). Our model is a Stackelberg game: the firm first chooses employee-specific data access levels and protection investments, after which the adversary observes these choices and selects a target. We show that the firm’s optimal policy exhibits a threshold structure: each employee is assigned the most valuable datasets up to an employee-specific cutoff. We also show that access and protection are linked through an expansion path that is independent of the adversarial environment. For managers, these findings imply that cybersecurity and organizational data design decisions must be coordinated. As adversarial attacks become stronger, the firm reduces data access, but protection may behave non-monotonically: stronger threats can lead to decreased spending on protection. As the adversary becomes more sophisticated in selecting targets, the firm responds by equalizing breach risk across a progressively wider set of employees, denying the adversary an obvious target. We classify the equilibrium into three regimes---Fully Connected, Partially Interior, and Fully Interior---corresponding to progressively more restrictive access policies. We illustrate the organizational implications of our framework for particular cases of crossing-productivity and generalist-specialist scenarios.
Keywords: cybersecurity strategy, access management, bipartite graphs
JEL Classification: D21, D85, L23, M11, M12, M15, M21, M54
Suggested Citation: Suggested Citation
Ruslan Momot (Contact Author)
University of Michigan, Stephen M. Ross School of Business ( email )
701 Tappan Street
Ann Arbor, MI MI 48109
United States
HOME PAGE: http://www.ruslanmomot.info