A Dynamic Theory of Security Free-Riding by Firms in the WFH Age

ABSTRACT

The COVID-19 pandemic has radically transformed the work-from-home (WFH) paradigm, and expanded an organization's cyber-vulnerability space. We propose a novel strategic method to quantify the degree of sub-optimal cybersecurity in an organization of employees, all of whom work in heterogeneous WFH 'siloes'. Specifically, we model the per-unit cost of asymmetric WFH employees to invest in security-improving effort units as time-discounted exponential martingales over time, and derive as benchmark - the centrally-planned socially optimal aggregate employee effort at any given time instant. We then derive the time-varying strategic Nash equilibrium amount of aggregate employee effort in cybersecurity in a distributed setting. The time-varying ratio of these centralized and distributed estimates quantifies the free riding dynamics, i.e., security sub-optimality, within an organization. Rigorous estimates of the degree of sub-optimal cybersecurity will drive organizational policy makers to design appropriate (customized) solutions that voluntarily incentivize WFH employees to invest in required cybersecurity best practices. © 2022 IEEE.