Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - April 2, 2026

Available Issues

April 10, 2013 - April 2, 2026

Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision Making

Published Online:22 Feb 2018https://doi.org/10.1287/isre.2017.0714

References

  • Abbas H, Yngström L, Hemani A (2008) Security evaluation of IT products: Bridging the gap between common criteria (CC) and real option thinking. Ao SI, Douglas C, Grundfest WS, Schruben L, Burgstone J, eds. 2008 Proc. World Congress Engrg. Comput. Sci., San Francisco, 22–24.Google Scholar
  • Adner R, Levinthal DA (2004) What is not a real option: Considering boundaries for the application of real options to business strategy. Acad. Management Rev. 29(1):74–85.CrossrefGoogle Scholar
  • Agliardi E, Agliardi R (2005) A closed-form solution for multicompound options. Risk Lett. 1(2):1–2.Google Scholar
  • Ahlström P (2015) Cyber security is now more cost efficient for industrial control systems. Control Engrg. Accessed May 10, 2016, http://m.controleng.com/index.php?id=9113&tx_ttnews[tt_news]=129151&cHash=c184ac49a772671a9f4d3dfb2986da73.Google Scholar
  • Arrow KJ (1965) The theory of risk aversion. Aspects of the Theory of Risk-Bearing (Yrjö Jahnssonin Säätiö, Helsinki). [Reprinted in (1971) Essays in the Theory of Risk-Bearing (Markham Publishing Chicago), 90–109.]Google Scholar
  • Avance (2009) Real options: Dos and don’ts. Accessed May 10, 2016, http://www.avance.ch/avance_on_real_options.html.Google Scholar
  • Bahsoon R, Emmerich W, Macke J (2005) Using real options to select stable middleware-induced software architectures. IEE Proc. Software 152(4):153–167.CrossrefGoogle Scholar
  • Baker HK, Dutta S, Saadi S (2011) Management views on real options in capital budgeting. J. Appl. Finance 21(1):18–29.Google Scholar
  • Baldwin CY, Clark KB (1993) Modularity and real options. Working paper, Harvard Business School, Boston. https://www.hbs.edu/faculty/Pages/item.aspx?num=15147.Google Scholar
  • Baldwin CY, Clark KB (2001) Design Rules: The Power of Modularity (MIT Press, Cambridge, MA).Google Scholar
  • Bashir M, Christin N (2008) Three case studies in quantitative information risk analysis. Proc. CERT/SEI Making Bus. Case Software Assurance Workshop, Pittsburgh, 77–86.Google Scholar
  • Bayuk J, Mostashari A (2013) Measuring systems security. Systems Engrg. 16(1):1–14.CrossrefGoogle Scholar
  • Benaroch M (2002) Managing investments in information technology based on real options theory. J. Management Inform. Systems 19(2):43–84.CrossrefGoogle Scholar
  • Benaroch M, Goldstein J (2009) An integrative economic optimization approach to IS development risk management. IEEE Trans. Software Engrg. 35(5):638–653.CrossrefGoogle Scholar
  • Benaroch M, Kauffman RJ (1999) A case for using real options pricing analysis to evaluate information technology project investment. Inform. Systems Res. 10(1):70–86.LinkGoogle Scholar
  • Benaroch M, Kauffman RJ (2000) Justifying electronic banking network expansion using real options analysis. MIS Quart. 24(2):197–225.CrossrefGoogle Scholar
  • Benaroch M, Dai Q, Kauffman RJ (2010) Should we go our own way? Backsourcing flexibility in IT services contracts. J. Management Inform. Systems 26(4):321–362.CrossrefGoogle Scholar
  • Benaroch M, Lichtenstein Y, Robinson K (2006a) Real options in IT risk management: An empirical validation of risk-option relationships. MIS Quart. 30(4):827–864.CrossrefGoogle Scholar
  • Benaroch M, Shah S, Jeffery M (2006b) On the valuation of multi-stage IT investments embedding nested real options. J. Management Inform. Systems 23(1):239–261.CrossrefGoogle Scholar
  • Benaroch M, Jeffery M, Kauffman RJ, Shah S (2007) Option-based risk management: A field study of sequential IT investment decisions. J. Management Inform. Systems 24(2):103–140.CrossrefGoogle Scholar
  • Bidgoli H (2006) Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management, Vol. 3 (John Wiley & Sons, Hoboken, NJ).Google Scholar
  • Brennan MJ, Schwartz ES (1985) Evaluating natural resource investments. J. Bus. 58(2):135–157.CrossrefGoogle Scholar
  • Brown L (2016) Are budget constraints impacting your cyber security? Shred-it (January 5), http://www.shredit.com/en-usus/blog/securing-your-information/january-2016/are-budget-constraints-impacting-your-cyber-securi.Google Scholar
  • Browning TR, Deyst JJ, Eppinger SD, Whitney DE (2002) Adding value in product development by creating information and reducing risk. IEEE Trans. Engrg. Management 49(4):443–458.CrossrefGoogle Scholar
  • Carty M, Pimont V, Schmid DW (2012)Measuringthevalueofinformation security investments. IT@Intel White Paper. Accessed May 10, 2016, http://www.intel.fr/content/dam/www/public/us/en/documents/best-practices/information-security-investments-paper.pdf.Google Scholar
  • Cassimon D, Engelen PJ, Thomassen L, Van Wouwe M (2004) The valuation of a NDA using a 6-fold compound option. Res. Policy 33(1):41–51.CrossrefGoogle Scholar
  • Cavusoglu H, Mishra B, Raghunathan S (2004) A model for evaluating IT security investments. Comm. ACM 47(7):87–92.CrossrefGoogle Scholar
  • Cavusoglu H, Raghunathan S, Yue WT (2008) Decision-theoretic and game-theoretic approaches to IT security investment. J. Management Inform. Systems 25(2):281–304.CrossrefGoogle Scholar
  • Childs PD, Ott SH, Riddiough TJ (2002) Optimal valuation of claims on noisy real assets: Theory and an application. Real Estate Econom. 30:415–444.CrossrefGoogle Scholar
  • Daellenbach H (1994) Systems and Decision Making: A Management Science Approach (Wiley, Hoboken, NJ).Google Scholar
  • Daneva M (2006) Applying real options thinking to information security in networked organizations. CTIT Technical Report Series, 06-11, Enschede: Centrum voor Telematica en Informatie Technologie. https://research.utwente.nl/en/publications/apply-ing-real-options-thinking-to-information-security-in-network.Google Scholar
  • Demetz L, Bachlechner D (2013) To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool. Böhme R, ed. The Economics of Information Security and Privacy (Springer-Verlag, Berlin Heidelberg), 25–47.CrossrefGoogle Scholar
  • Edwards B, Hofmeyr S, Forrest S (2016) Hype and heavy tails: A closer look at data breaches. J. Cybersecurity 2(1):3–14.CrossrefGoogle Scholar
  • Elton JE, Gruber MJ (1995) Modern Portfolio Theory and Investment Analysis (John Wiley & Sons, Hoboken, NJ).Google Scholar
  • Erdogmus H (1999) Building a business case for COTS-centric development: An investment analysis perspective. Proc. ICSE ’99, Workshop Ensuring Successful COTS Development, Los Angeles.Google Scholar
  • Erdogmus H, Favaro J (2003) Keep your options open: Extreme programming and economics of flexibility. Marchesi M, Succi G, Wells D, Williams L, eds. Extreme Programming Perspectives (Addison-Wesley, Boston), 503–552.Google Scholar
  • Favaro JM, Favaro KR, Favaro PF (1998) Value based software reuse investment. Ann. Software Engrg. 5:5–52.CrossrefGoogle Scholar
  • Fichman RG, Keil M, Tiwana A (2005) Beyond valuation: “Options thinking” in IT project management. California Management Rev. 47(2):74–96.CrossrefGoogle Scholar
  • Fielder A, Panaousis E, Malacaria P, Hankin C, Smeraldi F (2016) Decision support approaches for cyber security investment. Decision Support Systems 86:13–23.CrossrefGoogle Scholar
  • Geske R (1979) The valuation of compound options. J. Financial Econom. 7(1):63–81.CrossrefGoogle Scholar
  • Ghosh S, Li X (2013) A real options model for generalized meta-staged projects—Valuing the migration to SOA. Inform. Systems Res. 24(4):1011–1027.LinkGoogle Scholar
  • Gilligan J (2013) The economics of cybersecurity: A practical framework for cybersecurity investment. Schafer Corporation. Accessed May 10, 2016, http://www.google.com/url?sa=t&source=web&cd=2&ved=0ahUKEwiZkM2P7rjMAhXCQiYKHeZkCFoQFggnMAE&url=http%A%F%2Fwww.afcea.org%2Fcommittees%2Fcyber%2Fdocuments%2FCyberEconfinal.pdf&usg=AFQjCNGnc4D9H5rWJJVuHfoixxJNiMcjrQ.Google Scholar
  • Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. Systems Security 5(4):438–457.CrossrefGoogle Scholar
  • Gordon LA, Loeb MP, Lucyshyn W, Zhou L (2015a) The impact of information sharing on cybersecurity underinvestment: A real options perspective. J. Accounting Public Policy 34(5):509–519.CrossrefGoogle Scholar
  • Gordon LA, Loeb MP, Lucyshyn W, Zhou L (2015b) Increasing cybersecurity investments in private sector firms. J. Cybersecurity 1(1):3–17.Google Scholar
  • Herath HSB, Herath TC (2008) Investments in information security: A real options perspective with Bayesian postaudit. J. Management Inform. Systems 25(3):337–375.CrossrefGoogle Scholar
  • Huchzermeier A, Loch CH (2001) Project management under risk: Using the real options approach to evaluate flexibility in R&D. Management Sci. 47(1):85–101.LinkGoogle Scholar
  • Hull JC (1993) Options, Futures and Other Derivatives (Prentice Hall, Upper Saddle River, NJ).Google Scholar
  • Jørgensen M (2004) A review of studies on expert estimation of software development effort. J. Systems Software 70(1–2):37–60.CrossrefGoogle Scholar
  • Khan RH (2011) The use of real option analysis (ROA) to assist in security solution decisions. Internat. J. Comput. Sci. Network Security 11(10):108–119.Google Scholar
  • Khansa L, Liginlal D (2009) Valuing the flexibility of investing in security process innovations. Eur. J. Oper. Res. 192(1):216–235.CrossrefGoogle Scholar
  • Koussis N, Martzoukos SH, Trigeorgis L (2007) Real R&D options with time-to-learn and learning-by-doing. Ann. Oper. Res. 151(1):29–55.CrossrefGoogle Scholar
  • Kulatilaka N (1995) Operating flexibility in capital budgeting: Substitutability and complementarity in real options. Trigeorgis L, ed. Real Options in Capital Investment (Praeger, Westport, CT), 121–132.Google Scholar
  • Kumar RL (2002) Managing risks in IT projects: An options perspective. Inform. Management 40:63–74.CrossrefGoogle Scholar
  • Kwon J, Johnson ME (2014) Proactive versus reactive security investments in the healthcare sector. MIS Quart. 38(2):451–471.CrossrefGoogle Scholar
  • Lee J, Paxson D (2001) Valuation of R&D real American sequential exchange options. R&D Management 31(2):191–201.CrossrefGoogle Scholar
  • Li J, Su X (2007) Making cost effective security decision with real option thinking. Internat. Conf. Software Engrg. Advances (ICSEA 2007), Cap Esterel, France, 1–9.Google Scholar
  • Libicki M, Ablon L, Webb T (2015) The economics of defense: Modeling security investments against risk in an era of escalating cyber threats. Juniper Networks, Inc., Sunnyvale, CA. Ac-cessed May 10, 2015, https://www.juniper.net/us/en/local/pdf/executive-briefs/3000091-en.pdf.Google Scholar
  • March JG, Shapira Z (1987) Managerial perspectives on risk and risk taking. Management Sci. 33(11):1404–1418.LinkGoogle Scholar
  • Martin L (2009) Data breaches: Patterns and their implications (what can we learn from statistical analysis of data breaches)? CSO (September 8), http://www.csoonline.com/article/2124327/metrics-budgets/data-breaches–patterns-and-their-implications.html.Google Scholar
  • Martzoukos SH (2009) Real R&D options and optimal activation of two-dimensional random controls. J. Oper. Res. Soc. 60(6):843–858.CrossrefGoogle Scholar
  • Miller LT, Park CS (2005) A learning real options framework with application to process design and capacity planning. Production Oper. Management 14(1):5–20.CrossrefGoogle Scholar
  • Moore T, Dynes S, Chang F (2015) How CISOs manage cybersecurity investment: Insights from the field. Security Intelligence (October 29). Accessed May 10, 2016, https://securityintelligence.com/how-cisos-manage-cybersecurity-investment-insights-from-the-field/.Google Scholar
  • Nagurney A, Nagurney LS, Shukla S (2015) A supply chain game theory framework for cybersecurity investments under network vulnerability. Daras NJ, Rassias MT, eds. Computation, Cryptography, and Network Security (Springer International Publishing, Cham, Switzerland), 381–398.CrossrefGoogle Scholar
  • Neubauer T, Hartl C (2009) On the singularity of valuating IT security investments. Eighth IEEE/ACIS Internat. Conf. Comput. Inform. Sci., Shanghai, China.Google Scholar
  • Otim S, Grover V (2012) Resolving uncertainty and creating value from the exercise of e-commerce investment options. Inform. Systems J. 22(4):261–287.CrossrefGoogle Scholar
  • Paulson EC, Linkov I, Keisler JM (2016) A game theoretic model for resource allocation among countermeasures with multiple attributes. Eur. J. Oper. Res. 252(2):610–622.CrossrefGoogle Scholar
  • Perakslis ED (2014) Cybersecurity in health care. New England J. Medicine 371(5):395–397.CrossrefGoogle Scholar
  • Pindyck R (1993) Investments of uncertain cost. J. Financial Econom. 34:53–76.CrossrefGoogle Scholar
  • Pfleeger SL, Wu F, Lewis R (2005) Software cost estimation and sizing methods: Issues and guidelines. Project Air Force, The RAND Corp.Google Scholar
  • Rakes TR, Deane JK, Rees LP (2012) IT security planning under uncertainty for high-impact events. Omega 40(1):79–88.CrossrefGoogle Scholar
  • Sarala R, Zayaraz G, Vijayalakshmi V (2015) Optimal selection of security countermeasures for effective information security. Suresh L, Panigrahi B, eds. Proc. Internat. Conf. Soft Comput. Systems, Advances Intelligent Systems Comput., Vol. 398 (Springer, New Delhi, India), 345–353.Google Scholar
  • Sawik T (2013) Selection of optimal countermeasure portfolio in IT security planning. Decision Support Systems 55:156–164.CrossrefGoogle Scholar
  • Schilling A, Werners B (2016) Optimal selection of IT security safeguards from an existing knowledge base. Eur. J. Oper. Res. 248(1):318–327.CrossrefGoogle Scholar
  • Shahpasand M, Shajari M, Alireza S, Golpaygani H, Ghavamipoor H (2015) A comprehensive security control selection model for inter-dependent organizational assets structure. Inform. Comput. Security 23(2):218–242.CrossrefGoogle Scholar
  • Smith JE, McCardle KF (1998) Valuing oil properties: Integrating option pricing and decision analysis approaches. Oper. Res. 46(2):198–217.LinkGoogle Scholar
  • Srinidhi B, Yan J, Kumar GT (2015) Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors. Decision Support Systems 75:49–62.CrossrefGoogle Scholar
  • Stakhanova N, Basu S, Wong J (2007) A taxonomy of intrusion response systems. Internat. J. Inform. Comput. Security 1(1/2):169–184.CrossrefGoogle Scholar
  • Stoneburner G (2005) Recommendation for underlying technical models for information technology security. NIST Special Publication, 800-33, Gaithersburg, MD. Accessed May 10, 2016, http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf.Google Scholar
  • Sullivan KJ, Griswold W, Cai Y, Hallen B (2001) The structure and value of modularity in software design. Proc. Ninth ESEC/FSE, Vienna, 99–108.Google Scholar
  • Tadjdeh Y (2015) Study: No one size fits all in cybersecurity. National Defense Magazine (August). Accessed May 10, 2016, http://www.nationaldefensemagazine.org/archive/2015/August/Pages/StudyNoOneSizeFitsAllinCybersecurity.aspx.Google Scholar
  • Tatsumi K, Goto M (2010) Optimal timing of information security investment: A real options approach. Moore T, Pym D, Ioannidis C, eds. Economics of Information Security and Privacy (Springer, Boston), 211–228.CrossrefGoogle Scholar
  • Tiwana A, Keil M, Fichman RG (2006) Information systems project continuation in escalation situations: A real options model. Decision Sci. 37(3):357–391.CrossrefGoogle Scholar
  • Trigeorgis L (1996) Real Options (MIT Press, Cambridge, MA).Google Scholar
  • Tsalis N, Theoharidou M, Gritzalis D (2013) Return on security investment for Cloud platforms. IEEE 5th Internat. Conf. Cloud Comput. Tech. Sci., Bristol, UK, 132–137.Google Scholar
  • Viduto V, Maple C, Huang W, López-Peréz D (2012) A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems 53(3):599–610.CrossrefGoogle Scholar
  • Wan J, Ding B, Ren YF, Zheng JX (2012) Valuing information security investment: A real options approach. Yu L, Zhang G, Wang S, eds. Fifth Internat. Conf. Bus. Intelligence Financial Engrg., Lanzhou, China, 279–284.Google Scholar
  • Wang J, Chaudhury A, Rao HR (2008) A value-at-risk approach to information security investment. Inform. Systems Res. 19(1): 106–120.LinkGoogle Scholar
  • Yevseyeva I, Basto-Fernandes V, Emmerich M, Moorsel A (2015) Selecting optimal subset of security controls. Procedia Comput. Sci. 64:1035–1042.CrossrefGoogle Scholar
  • Zhuo Y, Solak S (2015) Cybersecurity investment optimization with risk: Insights for resource allocation. Internat. 5th Conf. Indust. Engrg. Oper. Management (IEOM), Dubai.Google Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree