While most IT security investment decisions are made without considering the broader industry, three researchers at the University of Alberta say this might not be wise. During the Ninth Workshop on the Economics of Information Security (WEIS 2010), Bora Kolfal, Raymond Patterson and Lisa Yeo presented a paper titled “Market Impact on IT Security Spending,” which focused on developing an economic model organizations can use to plan future IT security investments.
“The firm’s IT security spending reduces the frequency of adverse IT security events experienced by the firm, this affecting customer demand for the firm’s products,” the researchers said. “IT security spending by competitor firms will affect customer demand for the firm’s products, either positively or negatively.”
In certain situations, firms can increase profits by cooperating with other companies to increase IT security spending, according to the researchers.
“Under certain conditions, it is possible for both firms to increase profits if they cooperate and increase IT security spending, even though the individually rational choice is to not increase IT security spending,” they said.
The amount of money spent on IT security is also linked to the amount of demand from customers following IT security spending, the researchers said.
“There are significant changes to the optimal IT security spending for a firm when there are cross-over effects on customer demand when compared to the neutral case with no cross-over,” they said.
The researchers developed an economic model that accounts for the variables present in business situations. The researchers found that the more similar firms are, the easier it is to cooperate.
“Our model is successful in obtaining insights for different possible indirect effects of adverse IT security events on customer demand and firm IT security spending,” they said. “IT security is not traditionally perceived as a mechanism to increase sales and we illustrate the competitive impact of IT security spending on customer demand changes resulting from adverse events.”