An economic model to evaluate information security investment of risk-taking small and medium enterprises

This paper analyzes information security investment decisions made by risk taking small and medium enterprises (SMEs) using the expected utility approach. It then compares these decisions to ones made by a risk neutral firm. We find that risk takers are inclined to prioritize an information set's vulnerability over its value when making investment decisions. We also find that a risk taking firm may invest a larger amount in protecting a set than the risk neutral firm when the effectiveness of the investment in lowering breach probability is low. Finally, we show that for a group of information sets of equal value and varying vulnerabilities, the risk neutral decision maker will diversify security investment to a greater extent than the risk taker. As a result, the risk taker will invest a larger amount than the risk neutral firm would when protecting the high risk sets in the group. The results provide guidance to information security vendors when tailoring products to suit small businesses.