Cyber Risk and Security Investment

41 Pages Posted: 17 Mar 2022 Last revised: 22 Jan 2024

See all articles by Toni Ahnert

Toni Ahnert

European Central Bank, Financial Research Division; Centre for Economic Policy Research (CEPR)

Michael Brolley

Wilfrid Laurier University - Lazaridis School of Business and Economics

David A. Cimon

Bank of Canada

Ryan Riordan

Queen's University - Smith School of Business; Ludwig-Maximilians-University Munich, Faculty of Business Administration (Munich School of Management)

Multiple version iconThere are 2 versions of this paper

Date Written: January 21, 2024

Abstract

We develop a model in which firms invest in cybersecurity to protect themselves and their clients from cyber attacks. Since cyber security investment is unobservable, firms may signal their investment to attract clients. In equilibrium, firms under-invest in cyber security. We derive testable implications for the modality of cyber attacks, the probability of a successful attack, and client fees. To raise efficiency, a regulator can impose a minimum level of security investment or legislate consumer protection that shifts the burden of cyber attacks from clients to firms. Both regulations induce firms to invest the constrained-efficient amount in cyber security.

Keywords: Cyber risk, cyber security, ransomware, security ratings, regulation

JEL Classification: G10, G28, K24

Suggested Citation

Ahnert, Toni and Brolley, Michael and Cimon, David A. and Riordan, Ryan, Cyber Risk and Security Investment (January 21, 2024). Available at SSRN: https://ssrn.com/abstract=4057505 or http://dx.doi.org/10.2139/ssrn.4057505

Toni Ahnert

European Central Bank, Financial Research Division ( email )

ECB Tower
Sonnemannstraße 20
Frankfurt am Main

HOME PAGE: http://toniahnert.com

Centre for Economic Policy Research (CEPR)

London
United Kingdom

Michael Brolley (Contact Author)

Wilfrid Laurier University - Lazaridis School of Business and Economics ( email )

Lazaridis Hall, 4071
75 University Avenue
Waterloo, Ontario N2L 3C5
Canada

HOME PAGE: http://www.mikerostructure.com

David A. Cimon

Bank of Canada ( email )

234 Wellington Street
Ottawa, Ontario K1A 0G9
Canada

HOME PAGE: http://www.davidcimon.ca

Ryan Riordan

Queen's University - Smith School of Business ( email )

Smith School of Business, Queen's University
143 Union Street
Kingston, Ontario K7L 3N6
Canada

Ludwig-Maximilians-University Munich, Faculty of Business Administration (Munich School of Management) ( email )

Schackstr. 4
Munich, 80539
Germany

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
298
Abstract Views
1,153
Rank
183,906
PlumX Metrics