Abstract

This paper presents scenarios of information security—defending against directed security threats, risk-averse firm’s willingness to invest, and attacker’s propensity to security measures—each enhancing our understanding of a firm’s information security investment under different circumstances. We find that, when a firm tries to defend against directed attacks, the relative size of potential losses is an important factor in determining the level of optimal investment, and the total investment may drop when the system vulnerability is high. And a firm should carefully weight its and the potential attacker’s levels of aversion to risks in order to determine the most optimal level information security investments. The implications, limitations, and future directions of this research are also discussed.

Share

COinS