Real options models for proactive uncertainty-reducing mitigations and applications in cybersecurity investment decision making

Research output: Contribution to journalArticle

16 Scopus citations

Abstract

Managerial flexibility, or real options, embedded in information technology (IT) investments allows resolving uncertainty not only by passively waiting for new information to arrive during deferral but also by proactively deploying mitigations. Classic real options models fail to account for the value of proactive uncertainty-reducing mitigations, since they assume that uncertainty is fixed or follows a continuous, time-dependent dynamics. We present adaptations of these models that address this shortcoming. In our models, zero or more mitigations can be applied in varying sequences, mitigations have impulse-type effects on uncertainty reduction, and mitigations' effects can be complementary, substitutive, or synergetic. These traits make the value of mitigations path dependent and conditional on the uncertainty-reduction ability of earlier deployed mitigations. We operationalize the effects of mitigations in the IT and cybersecurity investment contexts. We also apply the adapted models to a real-world cybersecurity investment case from a Japanese company. Investments in multiple cybersecurity mitigations are typically treated as having a multiplicative effect that leads to overinvestment in mitigations. Our models avoid this problem, permitting to lower cybersecurity costs without compromising on loss prevention. More generally, our models allow implementing the real options logic more fully by supporting both passive and proactive IT investment risk management.

Original languageEnglish (US)
Pages (from-to)315-340
Number of pages26
JournalInformation Systems Research
Volume29
Issue number2
DOIs
StatePublished - Jun 1 2018

Keywords

  • Active risk management
  • Cybersecurity investments
  • IT investment risk management
  • Real options models
  • Uncertainty-reducing mitigations

ASJC Scopus subject areas

  • Management Information Systems
  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management
  • Library and Information Sciences

Fingerprint Dive into the research topics of 'Real options models for proactive uncertainty-reducing mitigations and applications in cybersecurity investment decision making'. Together they form a unique fingerprint.

  • Cite this