Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision-Making

0

Author Information : Michel Benaroch (Whitman School of Management, Syracuse University)

Year of Publication : Information Systems Research (forthcoming)

Summary of Findings : This research presents models that implement the real options logic more fully by recognizing that managerial flexibility, or real options, embedded in IT investments allows resolving uncertainty not only by passively waiting for new information to arrive during deferral but also by proactively deploying mitigations.

Research Questions : 1. How to account for the value of optional proactive value-reducing mitigations?

2. How to apply real options models to cybersecurity investment problems in order to avoid over-deployment of cybersecurity mitigations (solutions) without compromising on loss-prevention potential?

What we know : Managerial flexibility, or real options, embedded in IT investments allows resolving uncertainty not only by passively waiting for new information to arrive during deferral but also by proactively deploying mitigations. For example, flexibility to make a small-scale investment in a prototype system allows management to resolve uncertainty by passively waiting for new information to arrive during the prototype-building period as well as by actively conducting feasibility studies and technical performance tests of the firm’s technological ability to build successfully the full-scale system.

Classic real options models fail to consider proactive uncertainty-reducing mitigations because they assume that uncertainty is fixed or follows a continuous, time-dependent dynamic.

Extant models for evaluating investments in multiple cybersecurity mitigations (solutions) typically treat the mitigations as independent and having a multiplicative loss-prevention effect, although incremental investments are known to have diminishing (or no) benefits beyond a certain point. This shortcoming leads to over-deployment of mitigations and lowers cybersecurity investment efficiency. In practice, managers are increasingly facing a challenge of justifying the tangible cost of investing in cybersecurity (which shows on the books) against the intangible benefit of loss-prevention potential (which does not).

Novel Findings : This study presents adaptations of classic real options models that also account for the value of proactive uncertainty-reducing mitigations. In our models, zero or more mitigations can be applied in varying sequences, mitigations have impulse-type effects on uncertainty-reduction, and mitigations’ effects can be complementary, substitutive or synergetic. These traits make the value of mitigations path-dependent and conditional on the uncertainty-reduction ability of earlier deployed mitigations.

The research applies adapted models to a real-world investment case from a Japanese company, showing how they can lower cybersecurity investment costs without compromising on loss-prevention potential. Practically speaking, our models’ ability to increase the efficiency of cybersecurity investments is crucial considering that cybersecurity investments’ cost is real and shows on the books while their loss-prevention benefits do not.

Novel Methodology : Spreadsheet tools implementing the adapted models are applied with the real-world cybersecurity investment case. One tool implements analytical models for handling up to two mitigations applied sequentially or concurrently. Another tool implements a binomial lattice-sublattice model for handling more than two mitigations.

Implications for Practice : The models enable IT practitioners to implement the logic of real options more fully by supporting both passive and proactive IT investment risk management.

The models help IT practitioners to connect better with the intuition of real options models because the study's conceptualization of the impact of uncertainty-reducing mitigations fits well the notion that risk management narrows down the cone of uncertainty as a project investment progresses.

Managers can better confront the challenge of balancing tangible costs of increased investment in cybersecurity against intangible benefits of loss-prevention potential. The models’ handling of optional sequentially-deployed cybersecurity mitigations (solutions) with conditionality facilitates lowering cybersecurity costs without compromising on the ability to prevent cybersecurity losses.

Implications on Research: This work moves IT investment research in the direction suggested by Adner and Levinthal (2004, p. 76): “The wait-and-see setting of financial options represents one “extreme” case for which the methodology is ideally suited … it is important to move the real options logic to a world of act-and-see, in which uncertainty resolution is endogenous [internal] to firm activity.”

This paper is first to address proactive uncertainty-reducing mitigations in connection with IT investment decision-making, opening two main venues for future research.

1. Empirical validation. While this framing of mitigations and their impact follows the traditional intuition that risk management progressively narrows down the cone of uncertainty, it remains to be seen how well this intuition and its formalization in these models fits the reasoning of IT decision-makers in practice. Extensions to this paper could be case and field studies that apply these adapted models with the active involvement of IT decision-makers.

2. Practical estimation of mitigations’ impact on uncertainty. Research could develop and validate estimation methods that are data-based, model-based, or expert-based. Expert-based estimation could offer important benefits by also providing a sanity check for the conceptualization of mitigations in our models, especially since it is not known if the meaning of mitigations’ impact on uncertainty would be interpreted consistently across different experts and investment situations.

Full Citations : Benaroch, Michel, “Real options models for proactive uncertainty-reducing mitigations and applications in cybersecurity investment decision-making,” Information Systems Research, forthcoming.

Abstract : Managerial flexibility, or real options, embedded in IT investments allows resolving uncertainty not only by passively waiting for new information to arrive during deferral but also by proactively deploying mitigations. Classic real options models do not consider proactive uncertainty-reducing mitigations in that they assume fix uncertainty. This research presents adaptations of these models that account for the value of proactive uncertainty-reducing mitigations. In the study's models, zero or more mitigations can be applied in varying sequences, mitigations have impulse-type effects on uncertainty-reduction, and mitigations’ effects can be complementary, substitutive or synergetic. These traits make the value of mitigations path-dependent and conditional on the uncertainty-reduction ability of earlier deployed mitigations. The research operationalizes and applies these models in the cybersecurity investment context. Investments in multiple cybersecurity mitigations (solutions) are typically assumed to be independent, with a multiplicative preventative effect that leads to over-investment in mitigations. This study demonstrates how these models overcome this problem using a real-world investment case from a Japanese company. Practically speaking, these models can lower cybersecurity investment costs without compromising on loss-prevention potential. More generally, these models enable IT practitioners to implement the logic of real options more fully by supporting both passive and proactive IT investment risk management.

Click here to access Full Paper

Michel Benaroch

Michel Benaroch

Professor Benaroch is associate dean for research and professor of MIS at the Whitman School of Management. Professor Benaroch’s research addresses issues concerning the economics of IT investment, IT investment risk, ontology-centered knowledge representation, and artificial intelligence applications in finance. He has published extensively in information systems and computer science journals, including MIS Quarterly, Information Systems Research, Journal of MIS, IEEE Transaction on Software Engineering, International Journal of Accounting Information Systems, and International Journal of Human-Computer Interaction. He was ranked #26 (out of top-100 researchers worldwide) who published in top Information Systems journals (MISQ, ISR, JMIS, and JAIS) during 1999-2011.
Michel Benaroch
Share.

Leave A Reply