IS Theory

Cybersecurity Economics Is an IS Problem Hiding in Plain Sight

Cybersecurity spending keeps rising while breach costs keep climbing. Transaction cost economics, externality theory, and moral hazard explain why. IS researchers already own these theories.

2026-05-17 · 8 min read IS TheoryIT Governance & StrategyTrust & Security
CybersecurityPart 2 of 5
Cybersecurity Critic2Cybersecurity Mesh ACybersecurity WorkfoCybersecurity Workfo

I kept running into the same two numbers across the cybersecurity posts I have been writing. Recent industry reports put global security spending above $200 billion annually, and I wrote about why that spending is not solving the problem. The average breach cost keeps climbing too, and I wrote about what that number hides. What I had not done, and what I think the IS field has mostly not done either, is connect these two upward curves to the economic theories that explain why they move together.

The connection is not subtle. Transaction cost economics, externality theory, and moral hazard are not new ideas. They are core IS theory. Williamson (1975, 1985) built TCE to explain why organizations choose hierarchies over markets when asset specificity, uncertainty, and frequency make market governance expensive. The theory is taught in every IS PhD program. It appears on every comps theory list. And it directly explains why cybersecurity is structurally underprovided in organizations. But the cybersecurity research literature keeps treating underinvestment as a puzzle, a failure of attention, a failure of budgeting priorities. It is not a puzzle. It is what TCE predicts.

Let me walk through the mechanism. Security investments exhibit very high asset specificity. A custom intrusion detection system tuned to a specific network topology, a security team trained on a particular tool stack, a compliance framework implemented for a specific regulatory environment: these are investments that have enormous value inside the organization and almost no value outside it. Williamson identified asset specificity as the primary driver of transaction costs. When asset specificity is high, the organization should internalize the activity rather than outsource it. But high asset specificity also means that the investment is difficult to redeploy if the threat landscape shifts. The security tool built for last year's attack vectors has uncertain value against next year's. Uncertainty is Williamson's second factor, and in cybersecurity it is not just present. It is the defining characteristic of the environment. Organizations are making irreversible, asset-specific investments in conditions of radical uncertainty about what they are protecting against. TCE predicts that this combination produces governance failures. Either the organization over-invests in rigid controls that become obsolete, or it under-invests because the uncertainty makes the return impossible to calculate. Both predictions describe what I see in the industry data.

Then there is the externality problem. When a hospital system gets breached, the direct cost falls partly on the hospital. But the patients whose records were exposed bear identity theft risk for years. Credit card holders whose data was stolen face fraud. Business partners whose network credentials were compromised face secondary attacks. The organization making the security investment decision is not the organization bearing most of the cost of the breach. Economists call this a negative externality. The firm that underinvests in security does not internalize the full cost of that underinvestment, because the cost cascades outward to people and organizations that had no say in the investment decision. Tanriverdi et al. (2025) showed something that makes this worse at the system level. In multihospital systems, complicatedness in medical services, health IT, and governance increases cybersecurity breaches, and complexity, the ad hoc nonlinear interactions between units, exacerbates those effects. The more interconnected the system, the more the externality spreads. A breach in one hospital propagates through interconnected records and analytics platforms to other hospitals in the system. The investing entity faces a fraction of the total damage. TCE and externality theory together predict systematic underinvestment, and systematic underinvestment is exactly what we observe.

Moral hazard is the third frame. Agency theory, building on Jensen and Meckling (1976), describes what happens when a principal delegates risk to an agent whose incentives diverge from the principal's. Cybersecurity insurance creates a textbook moral hazard. When firms purchase cyber insurance, the financial risk of a breach transfers, partially or fully, to the insurer. The firm's incentive to invest in prevention drops because the insured party no longer bears the full cost of the breach. I cannot find a rigorous empirical estimate in the study materials I have, but the directional claim is straightforward: insured firms face weaker incentives for security investment than uninsured firms facing the same risk profile. The insurance market for cybersecurity is growing. If moral hazard operates as agency theory predicts, the growth of that market should correlate with a measurable reduction in prevention investment, all else equal. That is a testable prediction. I think it should be studied directly by IS researchers, not left to the insurance industry's own analyses.

Moody et al. (2018) gave us UMISPC, a unified model of information security policy compliance that integrated eleven prior theories, including protection motivation, deterrence, neutralization, and planned behavior. It is an important model for understanding why employees violate security policies. But notice what UMISPC theorizes: individual behavior. The dependent variable is whether an employee complies with a security policy. The theories it unifies are all psychological and behavioral. None of them ask the organizational economics question. None of them ask whether the firm has structured its incentives correctly. None of them ask whether the governance design produces the right level of security investment at the organizational level, not just the right level of compliance from the individual employee. Compliance and investment are not the same thing. An organization can have perfect policy compliance and still be radically underinvested in security because the economic structure of the problem rewards underinvestment. Moody et al. (2018) explains why employees follow or violate rules. TCE and agency theory explain why the rules, and the investment behind them, are set at the wrong level.

I wrote about how the $213 billion in security spending keeps climbing without producing proportional risk reduction, and about what the $4.88 million average breach cost conceals. I wrote about why 68% of breaches involve the human element and why preemptive cybersecurity fails when organizations lack coping capacity. Those posts connected the data to PMT, to sociotechnical theory, to institutional isomorphism. What they did not do, and what I think matters most, is name the economic mechanism. Spending rises. Breach costs rise. They rise together because the economic structure of cybersecurity produces systematic underinvestment at the margin where it matters most. Transaction cost economics explains why organizations struggle to justify security investments with high asset specificity and radical uncertainty. Externality theory explains why the costs of underinvestment fall on people who cannot influence the investment decision. Agency theory explains why insurance, supposed to be a safety net, can make the underlying problem worse.

These are IS theories. They belong to our disciplinary toolkit. Williamson is on every theory list. Agency theory is on every governance panel. Externalities are in every IS economics course. The IS field owns the theoretical machinery to explain why cybersecurity spending and breach costs rise in tandem, and we are not using it. Instead, we publish behavioral compliance models and breach count studies that measure the symptoms without theorizing the mechanism.

Tanriverdi et al. (2025) pointed the way. They showed that organizational complexity and complicatedness, not just technical vulnerability, drive breach risk in multihospital systems. That is an IS-level explanation. It connects the structure of the organization to the probability of a security failure. I think the next step is to take TCE, externality theory, and moral hazard directly into cybersecurity economics research. Ask the investment question, not just the compliance question. Ask why organizations set their security budgets at the level they do, and what economic forces push those budgets below the social optimum. Ask whether cybersecurity insurance improves or degrades actual security outcomes, not just financial resilience after a breach. The theories are ready. The data is available. The field that should be doing this work is ours.

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
Metric Ambidexterity Is Why Some Analytics Teams Deliver Value and Others Do Not
Next →
What Is the IT Artifact When the IT Has Agency?

Related notes

AI & Agentic Systems
When an AI Agent Makes a Decision, Who Is Accountable?
5 min read
IS Theory
ERP Failure Is Not a Technology Problem. It Is a Structuration Problem.
7 min read
IT Governance & Strategy
Healthcare IS Research Needs to Stop Counting Breaches
7 min read