•Focus is on government and firm resource allocation strategies in cybersecurity risk planning.•Firms focus on prevention, detection, and containment safeguards, while government focuses on intelligence.•The countermeasure portfolio accounts for a strategic attacker and firm budgetary constraints.•Externality may reduce government intelligence.•Firms give preference to detection investment over containment safeguards. We study the decision-making problem in cybersecurity risk planning concerning resource allocation strategies by government and firms. Aiming to minimize the social costs incurred due to cyberattacks, we consider not only the monetary investment costs but also the deprivation costs due to detection and containment delays. We also consider the effect of positive externalities of the overall cybersecurity investment on an individual firm’s resource allocation attitude. The optimal decision guides the firms on the countermeasure portfolio mix (detection vs. prevention vs. containment) and government intelligence investments while accounting for actions of a strategic attacker and firm budgetary limitations. We accomplish this via a two-stage stochastic programming model. In the first stage, firms decide on prevention and detection investments aided by government intelligence investments that improve detection effectiveness. In the second stage, once the attacker’s actions are realized, firms decide on containment investments after evaluating the cyberattacks. We demonstrate the applicability of our model via a case study. We find that externality can reduce the government’s intelligence investment and that the firm’s detection investment receives priority over containment. We also note that while prevention effectiveness has a decreasing impact on intelligence, it is beneficial to spend more on intelligence given its increasing returns to the reduction of social costs related to cybersecurity.