Search in:

Journal of Management Information Systems Volume 30, 2013 - Issue 1

Journal homepage

775

Views

CrossRef citations to date

Altmetric

Original Article

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

Xia Zhao Bryan School of Business and Economics, University of North Carolina at Greensboro

Ling Xue Bryan School of Business and Economics, University of North Carolina at Greensboro

Andrew B. Whinston Center for Research in Electronic Commerce, University of Texas at Austin

Pages 123-152 | Published online: 08 Dec 2014

Cite this article
https://doi.org/10.2753/MIS0742-1222300104

Sample our Information Science journals, sign in here to start your FREE access for 14 days

References
Citations
Metrics
Reprints & Permissions
Read this article /doi/epdf/10.2753/MIS0742-1222300104?needAccess=true

Abstract

The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small.

Keywords:

cyberinsurance
information security
interdependent risks
managed security services
risk management
risk pooling

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related Research Data

On Moral Hazard and Insurance

Source: Oxford University Press (OUP)

Insurance with undiversifiable risk: Contract structure and organizational form of insurance firms.

Source: Elsevier BV

A Study of the Value and Impact of B2B E-Commerce: The Case of Web-Based Procurement

Source: Informa UK Limited

INSURANCE THEORY: RESERVES VERSUS MUTUALITY

Source: Wiley

MORAL HAZARD IN RISK POOLING ARRANGEMENTS

Source: JSTOR

Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments

Source: Springer Science and Business Media LLC

Mobile banking: Exploring determinants of its adoption

Source: Informa UK Limited

A framework for using insurance for cyber-risk management

Source: Association for Computing Machinery (ACM)

Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers

Source: Informa UK Limited

The economics of information security investment

Source: Association for Computing Machinery (ACM)

Sharing information on computer systems security: An economic analysis

Source: Elsevier BV

Understanding the Value of Countermeasure Portfolios in Information Systems Security

Source: Informa UK Limited

The Formation of Mutual Insurers in Markets with Adverse Selection

Source: University of Chicago Press

Cybersecurity Investment Allocation for a Multi-Branch Firm: Modeling and Optimization

Source: MDPI AG

:{unav)

Source: Springer Science and Business Media LLC

Optimal Risk Sharing with Limited Liability

Source: Elsevier BV

Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment

Source: Informa UK Limited

Embracing and controlling risk dependency in cyber-insurance policy underwriting

Source: Oxford University Press (OUP)

Contracting structures for custom software development: the impacts of informational rents and uncertainty on internal development and outsourcing

Source: Institute for Operations Research and the Management Sciences (INFORMS)

The “Darth” side of technology use : an inductively derived typology of cyberdeviance.

Source: Informa UK Limited

Equilibrium in Competitive Insurance Markets: An Essay on the Economics of Imperfect Information

Source: Springer Netherlands

Estimating the Contextual Risk of Data Breach: An Empirical Approach

Source: Informa UK Limited

Incomplete contracting issues in information systems development outsourcing

Source: Elsevier BV

Investments in Information Security: A Real Options Perspective with Bayesian Postaudit

Source: Informa UK Limited

Information security outsourcing with system interdependency and mandatory security requirement

Source: Informa UK Limited

A game-theoretic analysis of information security investment for multiple firms in a network

Source: Informa UK Limited

The effect of information security certification announcements on the market value of the firm

Source: Springer Science and Business Media LLC

Contracting Information Security in the Presence of Double Moral Hazard

Source: Institute for Operations Research and the Management Sciences (INFORMS)

Outsourcing Managed Security Services

Source: Defense Technical Information Center

An inter-organizational information system for supply chain management

Source: Elsevier BV

Growth and sustainability of managed security services networks: an economic perspective

Source: JSTOR

Enterprise security economics: A self‐defense versus cyber‐insurance dilemma

Source: Wiley

Demand Heterogeneity in IT Infrastructure Services: Modeling and Evaluation of a Dynamic Approach to Defining Service Levels

Source: Institute for Operations Research and the Management Sciences (INFORMS)

Linking provided by

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.

People also read
Recommended articles
Cited by

To cite this article:

Reference style: APA Chicago Harvard

Citation copied to clipboard

Reference styles above use APA (6th edition), Chicago (16th edition) & Harvard (10th edition)

Download citation

Download a citation file in RIS format that can be imported by citation management software including EndNote, ProCite, RefWorks and Reference Manager.

Choose format: RIS BibTex RefWorks Direct Export

Choose options: Citation Citation & abstract Citation & references

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

Related Research Data

Information for

Open access

Opportunities

Help and information

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

Abstract

Reprints and Corporate Permissions

Academic Permissions

Related Research Data

Related research

To cite this article:

Download citation

Information for

Open access

Opportunities

Help and information

Keep up to date

Your download is now in progress and you may close this window

Login or register to access this feature