Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

UNCG Author/Contributor (non-UNCG co-authors, if there are any, appear on document)
Xia Zhao, Associate Professor (Creator)
The University of North Carolina at Greensboro (UNCG )
Web Site:

Abstract: The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small.

Additional Information

Journal of Management Information Systems
Language: English
Date: 2013
cyberinsurance, information security, interdependent risks, managed security services, risk management, risk pooling

Email this document to