Download This PaperManaging Cybersecurity: Data Access & Protection
43 Pages Posted: 11 Dec 2022 Last revised: 18 Dec 2022
Date Written: December 4, 2022
Abstract
A standard data access guideline is to limit employee access to only the essential data for their roles, raising the question of how to define these roles and the employees' corresponding data needs. We aim to address this question by considering a game-theoretic model of joint cybersecurity and operational decision-making. The firm chooses the level of data access for each of its employees and the overall level of cyber protection. Providing more data access to employees makes the firm more economically efficient but also more vulnerable to attacks by an adversary who steals the employees' data, inflicting damage that increases with the amount of data stolen. Adversaries may vary in their attack strength and sophistication rate (the ability to pinpoint the most attractive targets). We find that the firm may counter-intuitively decrease its overall protection level when adversarial attacks become stronger and increase its overall access level when the adversaries become more sophisticated.
Keywords: cybersecurity strategy, access management, bipartite graphs
JEL Classification: D21, D85, L23, M11, M12, M15, M21, M54
Suggested Citation: Suggested Citation
Ruslan Momot (Contact Author)
University of Michigan, Stephen M. Ross School of Business ( email )
701 Tappan Street
Ann Arbor, MI MI 48109
United States
HOME PAGE: http://www.ruslanmomot.info