Cybersecurity Investment Allocation for a Multi-Branch Firm: Modeling and Optimization

Abstract

Network interconnection and information sharing among firms and their departments expose them to cybersecurity breaches. Traditional cybersecurity studies have paid little attention to the reallocation of security investment within firms. This paper proposes a mathematical model for optimal allocation of cybersecurity investment among headquarters and branches with budget constraints. The differences in size of information sets and system interconnection have been taken into account. The responses of optimal allocation to internal and external factors, such as the portion of branch information set, the propagation probability, the budget constraints, and the intrinsic vulnerability, have been studied in deep both theoretically and numerically. Analysis results indicate that the group will give priority to protecting headquarters when the total budget is small and intrinsic vulnerability is high. The security investment allocated to each branch increases with budget, propagation probability and portion of information set, but never exceeds 1 / ( n + 1 ) of total budget. Numerical simulations also verify that security information sharing among headquarters and branches can help improve the efficiency of security investment in the whole system. Furthermore, the findings of this paper will draw attention to the reallocation of cybersecurity investment within a business group and help cybersecurity managers to develop investment allocation strategies and policies.