Abstract
Cybersecurity has gained prominence in the decision-making of firms. Due to the increasing occurrences
of threats in the cyberspace, investments in cybersecurity have become critical to mitigate the
operational disruption of businesses. This paper surveys the theoretical literature on the firms’ incentives
to invest in cybersecurity. A taxonomy of the existing contributions is provided to frame them in
a common reference scheme and a model is developed to encompass such contributions and discuss
their main findings. Papers that investigate the investment problem of an isolated firm are distinguished
from those that consider interdependent firms. In turn, interdependent cybersecurity is analyzed in
three different contexts: (i) firms that operate their business via a common computer network, but are
not competitors in the product market; (ii) firms that are competitors in the product market, but run
their business using non-interconnected computer systems; (iii) firms that are competitors and rely on
a common computer network. Promising avenues for future research are discussed in the conclusions