Enterprise security economics: A self-defense versus cyber-insurance dilemma

We propose a model that optimizes enterprise investments in cybersecurity using expected utility theory. The model allows computing (a) investment in self-defense to reduce the risk of security breaches, (b) investment in cyber insurance to transfer the residual risk to insurance companies, and (c) investment in forensic readiness to make the insured firms capable of generating provable insurance claims about security breaches. A three-phase-based model of vulnerability rate evolution over time is proposed and used to estimate the different planned security expenditures throughout the investment horizon. At the starting time of investment, a decision maker invests to cover the existing risk of breach and periodically spends to cover the additional risk observed due to the release of new vulnerabilities. In this work, the intermediate tranches are determined while considering three different attitudes of decision makers, namely, optimistic, pessimistic, and realistic. An analysis is conducted to assess the performance of the proposed models.