Why Cybersecurity Investments Models May Offer Misleading Guidance to Practice?

36 Pages Posted: 4 Nov 2024

See all articles by Mikko Siponen

Mikko Siponen

University of Alabama

Gabriella Laatikainen

affiliation not provided to SSRN

Xiuyan Shao

affiliation not provided to SSRN

Abstract

Management’s insufficient allocation of resources has been a major concern for cybersecurity practitioners. A key research stream to address this is the development of economic models aimed at calculating the optimal amount to invest. We argue that practitioners who faithfully apply these models run the risk of being misled for three reasons. The first concern is the lack of reliable data for cybersecurity investment calculations. This issue relates to the data itself, rather than to the models. Second is that the models make assumptions on cybersecurity investment that could be true (e.g., decision-makers have a risk-neutral attitude), but the models (or literature) have not examined if they are true. Third, many cybersecurity economical models contain assumptions that are known to be false in the real world. Third dimension means that if reliable data were available, the models containing false assumptions tend to offer misleading predictions for real-world applications. In this commentary, we aim to raise awareness within the cybersecurity community that many economic models for cybersecurity investment cases provide questionable advice in practice. They remain valid only under idealized conditions, which are rarely encountered in real-world settings. Despite their authors’ recommendations, the many economical models should not be used as normative models in actual practice without case-by-case modifications by practitioners. Practitioners need to understand why many cybersecurity investment models may only apply in artificial laboratory conditions, and why their application in practice is questionable.

Keywords: investment models, economic models, risk management, cybersecurity investment, cybersecurity management

Suggested Citation

Siponen, Mikko and Laatikainen, Gabriella and Shao, Xiuyan, Why Cybersecurity Investments Models May Offer Misleading Guidance to Practice?. Available at SSRN: https://ssrn.com/abstract=5009539 or http://dx.doi.org/10.2139/ssrn.5009539

Mikko Siponen (Contact Author)

University of Alabama ( email )

Tuscaloosa, AL
United States

Gabriella Laatikainen

affiliation not provided to SSRN ( email )

No Address Available

Xiuyan Shao

affiliation not provided to SSRN ( email )

No Address Available

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
22
Abstract Views
91
PlumX Metrics