While there are many ways for companies to react to cybersecurity risks, all of them can be classified into two categories: risk mitigation and transfer. Risk mitigation is the more standard approach, which includes various ways to increase cybersecurity measures. For example, companies could invest in more secure cyber infrastructure and improved cybersecurity training for the employees. Risk transfer is a newer domain; a major way companies achieve this is insurance. While the two are very different approaches, they can be used in conjunction. As such, it is important to analyze how much companies should allocate their limited resources in each cybersecurity defense measure in a wide variety of scenarios.
The paper in particular focuses on large firms with multiple branches. Each branch, in the event of a cybersecurity breach, may sustain damage by itself or also affect the headquarters. The paper derives a mathematical model that describes the optimal allocation of resources in the two defense measures by considering many factors like the type of insurance liability, organizational structure and the likelihood of cybersecurity breach propagating from a branch to the headquarter, and intrinsic vulnerability. An interesting result from this exercise is that when the cybersecurity is either very high or very low, the firms should invest more in insurance, whereas in other scenarios they should gravitate towards risk mitigation.
