Purpose

To remain competitive in an unpredictable environment where the complexity and frequency of cybercrime are rapidly increasing, a cyber resiliency strategy is vital for business continuity. However, one of the barriers to improving cyber resilience is that security defense and accident recovery do not combine efficaciously, as embodied by emphasizing cyber security defense strategies, leaving firms ill-prepared to respond to attacks. The present study thus develops an expected resilience framework to assess cyber resilience, analyze cyber security defense and recovery investment strategies and balance security investment allocation strategies.

Design/methodology/approach

Based on the expected utility theory, this paper presents an expected resilience framework, including an expected investment resilience model and an expected profit resilience model that directly addresses the optimal joint investment decisions between defense and recovery. The effects of linear and nonlinear recovery functions, risk interdependence and cyber insurance on defense and recovery investment are also analyzed.

Findings

According to the findings, increasing the defense investment coefficient reduces defense and recovery investment while increasing the expected resilience. The nonlinear recovery function requires a smaller defense investment and overall security investment than the linear one, reflecting the former’s advantages in lowering cybersecurity costs. Moreover, risk interdependence has positive externalities for boosting defense and recovery investment, meaning that the expected profit resilience model can reduce free-riding behavior in security investments. Insurance creates moral hazard for firms by lowering defensive investment, yet after purchasing insurance, expanded coverage and cost-effectiveness incentivize firms to increase defense and recovery spending, respectively.

Originality/value

The paper is innovative in its methodology as it offers an expected cyber resilience framework for integrating defense and recovery investment and their effects on security investment allocation, which is crucial for building cybersecurity resilience but receives little attention in cybersecurity economics. It also provides theoretical advances for cyber resilience assessment and optimum investment allocation in other fields, such as cyber-physical systems, power and water infrastructure – moving from a resilience triangle metric to an expected utility theory-based method.

中文翻译：

---

构建网络安全弹性：将防御和恢复投资策略整合到预期的弹性框架中

 目的

为了在网络犯罪的复杂性和频率迅速增加的不可预测的环境中保持竞争力，网络弹性策略对于业务连续性至关重要。然而，提高网络弹性的障碍之一是安全防御和事故恢复没有有效地结合，这体现在强调网络安全防御策略上，使公司对应对攻击准备不足。因此，本研究开发了一个预期的弹性框架来评估网络弹性，分析网络安全防御和恢复投资策略，并平衡安全投资分配策略。

设计/方法/方法

基于预期效用理论，本文提出了一个预期韧性框架，包括预期投资韧性模型和预期利润韧性模型，直接解决了防御和恢复之间的最优联合投资决策。还分析了线性和非线性恢复函数、风险相互依存关系和网络保险对国防和恢复投资的影响。

 发现

根据研究结果，提高国防投资系数会减少国防和恢复投资，同时提高预期的弹性。非线性恢复函数比线性恢复函数需要更小的国防投资和整体安全投资，体现了前者在降低网络安全成本方面的优势。此外，风险相互依存关系对于促进国防和复苏投资具有正外部性，这意味着预期利润弹性模型可以减少证券投资中的搭便车行为。保险通过降低防御性投资给公司带来道德风险，但在购买保险后，扩大的覆盖范围和成本效益分别激励公司增加国防和恢复支出。

 原创性/价值

该论文在方法上具有创新性，因为它提供了一个预期的网络弹性框架，用于整合国防和恢复投资及其对安全投资分配的影响，这对于构建网络安全弹性至关重要，但在网络安全经济学中很少受到关注。它还为网络弹性评估和其他领域（如信息物理系统、电力和水基础设施）的最佳投资分配提供了理论进步——从弹性三角度量转变为基于预期效用理论的方法。