Information Security Investment: Expected Utility Approach with Correlated Information Assets

This paper analyzes the information security investment decisions by a firm with two correlated information assets. When information assets are correlated, a firm may face additional losses compared to a loss from a single breach, and the probability of security breach on one set may increase the probability on the other. We model the security investment of a risk-taking firm as well as risk-neutral firm by taking an expected utility approach. We then compare the decisions made by a risk-taking firm to those made by a risk-neutral firm. We will also examine how decision maker allocates funds in protecting two information sets with a limited budget.