Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors

• Unlike investors, managers have limited tenure and cannot diversify their human capital investment in a firm resulting in misalignment of interest.
• The risks of security threats and consequent financial distress costs are therefore viewed differently by managers and investors.
• We use model the effect of differential incentives between managers and investors on cyber-security fund allocation.
• We find thatmanagers over-invest in security to reduce breaches during their tenure.
• We also show that cyber-insurance is feasible and serves to reduce the adverse consequences of misalignment of interests.

Cyber-security is increasingly seen as an important determinant of firm-specific financial risk. Agency theory suggests that managers and investors have different preferences over such risk because investors can diversity their capital over different firms to reduce firm-specific risk but managers cannot diversify their investment of human capital in their firm. Therefore managers face greater personal cost of financial distress during their limited tenure. We develop an analytical model for optimally allocating investments to general productive assets and specific cyber-security assets incorporating costs of security breaches, borrowing and financial distress. We note that investment in productive assets can generate cash flows that allow the firm to better withstand security threats in the long run but investment in specific security-enhancing assets reduce security breaches in short run while leaving the firm's finances vulnerable over a longer period. Using our model, we show that managers over-invest in specific security-enhancing assets to reduce security breaches during their tenure. We then incorporate cyber-insurance in our model and show that it has the effect of reducing managers' over-investment in specific security-enhancing assets.