Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements
Journal of Management Information Systems, Forthcoming
48 Pages Posted: 20 Apr 2010 Last revised: 6 Aug 2014
Date Written: March 11, 2013
The interdependency of information security risks often induces firms to invest inefficiently in IT security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider (MSSP) serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small.
Keywords: information security, cyberinsurance, risk pooling, risk management, managed security service, economics of information systems
Suggested Citation: Suggested Citation