Contrasting the optimal resource allocation to cybersecurity controls and cyber insurance using prospect theory versus expected utility theory

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-25 DOI:10.1016/j.cose.2025.104450

Chaitanya Joshi , Sergeja Slapničar , Jinming Yang , Ryan K.L. Ko

{"title":"Contrasting the optimal resource allocation to cybersecurity controls and cyber insurance using prospect theory versus expected utility theory","authors":"Chaitanya Joshi , Sergeja Slapničar , Jinming Yang , Ryan K.L. Ko","doi":"10.1016/j.cose.2025.104450","DOIUrl":null,"url":null,"abstract":"<div><div>Protecting against cyber-threats is essential for every organization and can be achieved by investing in cybersecurity controls and purchasing cyber insurance. These two alternatives are interlinked, as insurance premiums can be reduced by investing more in cybersecurity controls. However, cyber insurance remains under-utilized, a puzzle that Expected Utility Theory (EUT) cannot explain. In this paper, we analyze how decision-makers allocate resources between cybersecurity controls and cyber insurance, comparing optimal allocation under Prospect Theory (PT) to that under EUT. We propose a new functional form of risk curves to model the relationship between investment in cybersecurity controls and cyber risk, demonstrating how a bespoke risk curve can be fitted for an organization. We derive the optimal allocation strategy of resources to cybersecurity controls and cyber insurance under EUT and PT paradigms. Using mathematical results and numerical examples, we identify specific behavioral considerations in PT that lead to different resource allocations compared to EUT. We show that decision-makers aligned with EUT are generally indifferent to purchasing insurance, whereas those aligned with PT favor full insurance coverage; otherwise, they invest more in self-protection. Our results indicate that, in addition to a challenging cybersecurity environment and the nature of insurance coverage, behavioral aspects (diminished sensitivity to losses and probability weights) play a key role in determining the optimal level of investment in cybersecurity.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104450"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001397","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Protecting against cyber-threats is essential for every organization and can be achieved by investing in cybersecurity controls and purchasing cyber insurance. These two alternatives are interlinked, as insurance premiums can be reduced by investing more in cybersecurity controls. However, cyber insurance remains under-utilized, a puzzle that Expected Utility Theory (EUT) cannot explain. In this paper, we analyze how decision-makers allocate resources between cybersecurity controls and cyber insurance, comparing optimal allocation under Prospect Theory (PT) to that under EUT. We propose a new functional form of risk curves to model the relationship between investment in cybersecurity controls and cyber risk, demonstrating how a bespoke risk curve can be fitted for an organization. We derive the optimal allocation strategy of resources to cybersecurity controls and cyber insurance under EUT and PT paradigms. Using mathematical results and numerical examples, we identify specific behavioral considerations in PT that lead to different resource allocations compared to EUT. We show that decision-makers aligned with EUT are generally indifferent to purchasing insurance, whereas those aligned with PT favor full insurance coverage; otherwise, they invest more in self-protection. Our results indicate that, in addition to a challenging cybersecurity environment and the nature of insurance coverage, behavioral aspects (diminished sensitivity to losses and probability weights) play a key role in determining the optimal level of investment in cybersecurity.

查看原文本刊更多论文

应用前景理论与期望效用理论对比网络安全控制与网络保险的最优资源配置

防范网络威胁对每个组织都至关重要，可以通过投资网络安全控制和购买网络保险来实现。这两种选择是相互关联的，因为可以通过在网络安全控制方面投入更多资金来降低保险费。然而，网络保险仍然没有得到充分利用，这是期望效用理论（EUT）无法解释的难题。本文分析了决策者如何在网络安全控制和网络安全保险之间进行资源配置，并比较了前景理论和优价条件下的最优配置。我们提出了一种新的功能形式的风险曲线来模拟网络安全控制投资与网络风险之间的关系，展示了如何将定制的风险曲线适合于组织。我们推导了在EUT和PT范式下网络安全控制和网络保险资源的最优配置策略。利用数学结果和数值示例，我们确定了与EUT相比，PT中导致不同资源分配的特定行为考虑因素。我们发现，与EUT一致的决策者通常对购买保险漠不关心，而与PT一致的决策者则倾向于全额保险；否则，他们会在自我保护方面投入更多。我们的研究结果表明，除了具有挑战性的网络安全环境和保险范围的性质外，行为方面（对损失和概率权重的敏感度降低）在决定网络安全投资的最佳水平方面也起着关键作用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.