Abstract
Cybersecurity has gained prominence in the decision-making of firms. Due to the increasing occurrences of threats in the cyberspace, investments in cybersecurity have become critical to mitigate the operational disruption of businesses. This cumulative dissertation comprises three, self-consistent research papers that study the investment in cybersecurity adopting an economic perspective. The first chapter is a theoretical contribution that surveys the theoretical literature on the firms’ incentives to invest in cybersecurity. A taxonomy of the existing contributions is provided to frame them in a common reference scheme and a model is developed to encompass such contributions and discuss their main findings. Papers that investigate the investment problem of an isolated firm are distinguished from those that consider interdependent firms. In turn, interdependent cybersecurity is analyzed in three different contexts: (i) firms that operate their business via a common computer network, but are not competitors in the product market; (ii) firms that are competitors in the product market, but run their business using non-interconnected computer systems; (iii) firms that are competitors and rely on a common computer network. The survey summarizes conditions under which either underinvestment or overinvestment in cybersecurity arise. This might help outline tools that regulators and pubic policymakers can consider to promote adequate levels of investment. The second chapter is also a theoretical work that studies a peculiar form of investment, namely cyber-insurance, and its relation to firm’s equity value. The literature has extensively studied how stock markets react to the news of a cyber breach affecting a publicly listed company. Empirical findings show that a cyber breach announcement is followed by a drop in the market value of the breached firm. Some studies consider this reaction as driven by specific characteristics of the breached firms, such as their size or sector of activity. Recently, insurance against cyber risk has gained relevance as a tool for risk management, however the analysis of the interaction between the cyber-insurance market and the equity market has been left unexplored. In this chapter, a three-stage game between firms and investors is formalized and a set of hypotheses is derived; finally, an empirical strategy to test such hypotheses is outlined. The analysis offers a useful framework for the discussion of policy measures such as the incentives to the adoption of a cyber-insurance or the promotion of information transparency on both the insurance and the equity markets. The third chapter presents an empirical application that deals with the zero observations that often predominates in survey-collected cybersecurity data, and discusses the statistical association between cybersecurity investment and losses from cyber breaches. Survey data often exhibit an unusually high frequency of zeros in the first interval. Zero-inflated ordered probit models handle the excess of zeros by combining a split probit model and an ordered probit model. A robust inference method based on exponential tilting is then considered to estimate such model. The methodology is motivated by the analysis of data from the Cyber Security Breaches Survey on cybersecurity breaches to study the relationship between investments in cyber defences and losses from cyber breaches. The findings do not reject the hypothesis of a loss-reducing effect of the investment in cybersecurity, providing supporting evidence to policies advocating the adoption of cybersecurity countermeasures among firms.