Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

Journal of Management Information Systems, Forthcoming

48 Pages Posted: 20 Apr 2010 Last revised: 13 Jul 2013

See all articles by Xia Zhao

Xia Zhao

University of North Carolina at Greensboro - Information Systems & Supply Chain Management

Ling Xue

University of Georgia - Department of Management Information Systems

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management

Date Written: March 11, 2013

Abstract

The interdependency of information security risks often induces firms to invest inefficiently in IT security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider (MSSP) serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small.

Keywords: information security, cyberinsurance, risk pooling, risk management, managed security service, economics of information systems

Suggested Citation

Zhao, Xia and Xue, Ling and Whinston, Andrew B., Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements (March 11, 2013). Journal of Management Information Systems, Forthcoming, Available at SSRN: https://ssrn.com/abstract=1593137 or http://dx.doi.org/10.2139/ssrn.1593137

Xia Zhao (Contact Author)

University of North Carolina at Greensboro - Information Systems & Supply Chain Management ( email )

401 Bryan Building
Greensboro, NC 27402-6179
United States

Ling Xue

University of Georgia - Department of Management Information Systems ( email )

600 S. Lumpkin Street
Athens, GA 30602
United States

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management ( email )

CBA 5.202
Austin, TX 78712
United States
512-471-8879 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
258
Abstract Views
1,572
Rank
237,734
PlumX Metrics