Valuing information security investment: A real options approach

Software vendors make their products more secure requires sufficient supporting investment. Decisions to invest in information security technology are often made based on an assessment of its immediate value to the organization. However an important source of value comes from the fact that such security technologies have the potential to be leveraged in the diminishing of future malicious attacks. Vendors need an analytical model that shows the process by which this potential is converted into business value. We discuss a software vender to invest in security technology before launching their production in the market as a sample, because security investments create growth options that can be exercised if and when an organization decides to develop security technologies to avoid malicious attacks. This paper develops a real option model to investigate the value of this information security investment opportunity which is able to handle the multiple uncertainties from market, software vulnerability and technological aspects. The uncertain market and software vulnerability announcements uncertain factors will be transformed into a security of software products value function which is incorporated with Geometric Brownian Motion and Jump process. Unlike the conventional jump-diffusion model, the jump in our model is designed as strictly negative to account for any soft vulnerability to be announced and will only work on the drift term for a direct loses to the underlying value. Moreover, we include the learning effect that will induce the cost reduction into the valuation. In particular, our study provides an operational approach to calculate the value of secure software.