Market Impact on IT Security Spending Bora Kolfal, Raymond Patterson, M. Lisa Yeo Dept. of Accounting and Management Information Systems, School of Business, University of Alberta, Edmonton, AB T6G 2R6 {bkolfal, ray.patterson, myeo}@ualberta.ca, Traditionally, IT security investment decisions are made in isolation. However, as firms that compete for customers in an industry are closely interlinked, a macro perspective is needed in analyzing the IT security spending decisions and this is a key contribution of the paper. We introduce the notions of direct- and cross-risk elasticity to describe the customer response to adverse IT security events in the firm and competitor, respectively, thus allow- ing us to analyze optimal security investment decisions. Both symmetric and asymmetric cases are examined for a duopoly in a continuous-time Markov chain (CTMC) setting. We demonstrate that optimal IT security spending, expected firm profits and willingness of firms to cooperate with competitors to improve security are highly dependent on the nature of customer response to adverse events, especially whether customer response to adverse security events in the competitor increases or decreases firm demand. Key words : IT Security, Regulation, Continuous-time Markov Chain, Direct and Cross-risk Elasticity of Demand 1. Introduction In the context of IT security, we use the terms direct-risk and cross-risk elasticity of demand to describe the customer demand effects of adverse IT security events. Our model addresses both direct- and cross-risk elasticity of demand, just as changes in price are traditionally related to demand. Direct-risk elasticity of demand is used to describe the percentage change in demand due to an adverse IT security event experienced directly by the firm, while cross-risk elasticity of demand is used to describe the percentage change in demand due to the cross-over effect of an adverse IT security event at a competitor firm. Our paper models this context in a continuous-time setting, incorporating both the direct- and cross-risk elasticity of demand. The firm’s IT security spending reduces the frequency of adverse IT security events experienced by the firm, thus affecting customer demand for the firm’s products. Also, due to the cross-risk elasticity between firms, IT 1