Real options models for proactive uncertainty-reducing mitigations and applications in cybersecurity investment decision making

Managerial flexibility, or real options, embedded in information technology (IT) investments allows resolving uncertainty not only by passively waiting for new information to arrive during deferral but also by proactively deploying mitigations. Classic real options models fail to account for the value of proactive uncertainty-reducing mitigations, since they assume that uncertainty is fixed or follows a continuous, time-dependent dynamics. We present adaptations of these models that address this shortcoming. In our models, zero or more mitigations can be applied in varying sequences, mitigations have impulse-type effects on uncertainty reduction, and mitigations' effects can be complementary, substitutive, or synergetic. These traits make the value of mitigations path dependent and conditional on the uncertainty-reduction ability of earlier deployed mitigations. We operationalize the effects of mitigations in the IT and cybersecurity investment contexts. We also apply the adapted models to a real-world cybersecurity investment case from a Japanese company. Investments in multiple cybersecurity mitigations are typically treated as having a multiplicative effect that leads to overinvestment in mitigations. Our models avoid this problem, permitting to lower cybersecurity costs without compromising on loss prevention. More generally, our models allow implementing the real options logic more fully by supporting both passive and proactive IT investment risk management.