Why Cybersecurity Investments Models May Offer Misleading Guidance to Practice?
36 Pages Posted: 4 Nov 2024
Abstract
Management’s insufficient allocation of resources has been a major concern for cybersecurity practitioners. A key research stream to address this is the development of economic models aimed at calculating the optimal amount to invest. We argue that practitioners who faithfully apply these models run the risk of being misled for three reasons. The first concern is the lack of reliable data for cybersecurity investment calculations. This issue relates to the data itself, rather than to the models. Second is that the models make assumptions on cybersecurity investment that could be true (e.g., decision-makers have a risk-neutral attitude), but the models (or literature) have not examined if they are true. Third, many cybersecurity economical models contain assumptions that are known to be false in the real world. Third dimension means that if reliable data were available, the models containing false assumptions tend to offer misleading predictions for real-world applications. In this commentary, we aim to raise awareness within the cybersecurity community that many economic models for cybersecurity investment cases provide questionable advice in practice. They remain valid only under idealized conditions, which are rarely encountered in real-world settings. Despite their authors’ recommendations, the many economical models should not be used as normative models in actual practice without case-by-case modifications by practitioners. Practitioners need to understand why many cybersecurity investment models may only apply in artificial laboratory conditions, and why their application in practice is questionable.
Keywords: investment models, economic models, risk management, cybersecurity investment, cybersecurity management
Suggested Citation: Suggested Citation