An integrated risk management strategy, combining insurance and security investments, where the latter contribute to reduce the insurance premium, is investigated to assess whether it can lead to reduced overall security expenses. The optimal investment for this mixed strategy is derived under three insurance policies, covering, respectively, all the losses (total coverage), just those below the limit of maximum liability (partial coverage), and those above a threshold but below the maximum liability (partial coverage with deductibles). Under certain conditions (e.g., low potential loss, or either very low or very high vulnerability), the mixed strategy reverts however to insurance alone, because investments do not provide an additional benefit. When the mixed strategy is the best choice, the dominant component in the overall security expenses is the insurance premium in most cases. Optimal investment decisions require an accurate estimate of the vulnerability, whereas larger estimation errors may be tolerated for the investment-effectiveness coefficient.
Keywords: Cybersecurity; Gordon-Loeb model; risk management; security economics; security investments.
© 2019 Society for Risk Analysis.