Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision-Making
Information Systems Research, Forthcoming
39 Pages Posted: 27 Apr 2017 Last revised: 29 Apr 2017
Date Written: January 26, 2017
Abstract
Managerial flexibility, or real options, embedded in IT investments allows resolving uncertainty not only by passively waiting for new information to arrive during deferral but also by proactively deploying mitigations. Classic real options models fail to account for the value of proactive uncertainty-reducing mitigations, since they assume that uncertainty is fix or follows a continuous, time-dependent dynamics. We present adaptations of these models that address this shortcoming. In our models, zero or more mitigations can be applied in varying sequences, mitigations have impulse-type effects on uncertainty-reduction, and mitigations’ effects can be complementary, substitutive or synergetic. These traits make the value of mitigations path-dependent and conditional on the uncertainty-reduction ability of earlier deployed mitigations. We operationalize the effects of mitigations in the IT and the cybersecurity investment contexts. We also apply the adapted models to a real-world cybersecurity investment case from a Japanese company. Investments in multiple cybersecurity mitigations are typically treated as having a multiplicative effect that leads to over-investment in mitigations. Our models avoid this problem, permitting to lower cybersecurity costs without compromising on loss-prevention. More generally, our models allow implementing the real options logic more fully by supporting both passive and proactive IT investment risk management.
Keywords: real options models, uncertainty-reducing mitigations, cybersecurity investments, IT investment risk management, active risk management
Suggested Citation: Suggested Citation