Abstract
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.
- Anderson, J. 1972. Computer security technology planning study. U.S. Air Force Electronic Systems Division Tech. Rep. (Oct.), 73--51.Google Scholar
- Anderson, R. 2001. Why information security is hard---An economic perspective. In Proceedings of 17th Annual Computer Security Applications Conference (ACSAC) (New Orleans, La. Dec. 10--14). Google Scholar
- Axelsson, S. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Sec. 3, 3 (Aug.), 186--205. Google Scholar
- Buzzard, K. 1999. Computer security---What should you spend your money on. Comput. Sec. 18, 4, 322--334.Google Scholar
- Daniels, T. E. and Spafford, E. H. 1999. Identification of host audit data to detect attacks on low-level IP. J. Comput. Sec. 7, 1, 3--35. Google Scholar
- Denning, D. 1987. An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 2 (Feb.), 222--226. Google Scholar
- Denning, D. and Branstad, D. 1996. A taxonomy of key escrow encryption systems. Commun. ACM. 39, 3 (Mar.), 34--40. Google Scholar
- Finne, T. 1998. A conceptual framework for information security management. Comput. Sec. 17, 4, 303--307.Google Scholar
- Frincke, D. 2000. Balancing cooperation and risk in intrusion detection. ACM Trans. Inf. Syst. Sec. 3, 1 (Feb.), 1--29. Google Scholar
- Gordon, L. and Loeb, M. 2001. A framework for using information security as a response to competitor analysis systems. Commun. ACM, 44, 9 (Sept.), 70--75. Google Scholar
- Hann, J. and Weber, R. 1996. Information systems planning: A model and empirical tests. Manage. Sci. 42, 7 (July), 1043--1064. Google Scholar
- Hoo, K. 2000. How much is enough? A risk-management approach to computer security. Consortium for Research on Information Security Policy (CRISP) Working Paper. Stanford University, Stanford, Calif., June.Google Scholar
- Jajodia, S. and Millen, J. 1993. Editors' preface. J. Comput. Sec. 2, 2/3, 85.Google Scholar
- Jones, A. 1997. Penetration testing and system audit. Comput. Sec. 16, 595--602.Google Scholar
- KPMG. 2000. Information Security Survey 2000. http://www.kpmg.co.uk/services/audit/pubs/ISS (Apr.), 1--4Google Scholar
- Larsen, A. 1999. Global security survey: Virus attack. InformationWeek.Com. http://www.informationweek.com/743/security.htm.Google Scholar
- Littlewood, B., Broclehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., and Gollman, D. 1993. Towards operational measures of security. J. Comput. Sec. 2, 2, 211--229.Google Scholar
- Loch, K. D., Carr, H. H., and Warkentin, M. E. 1992. Threats to information systems: Today's reality, yesterday's understanding. MIS Quart. 17, 2, 173--186.Google Scholar
- Luotonen, O. 1993. Risk management and insurances. Painatuskeskus Oy. Helsinki, Finland.Google Scholar
- Mcknight, L., Solomon, R., Reagle, J., Carver, D., Johnson, C., Gerovac, B., and Gingold, D. 1997. Information security of internet commerce. In Internet Economics, L. McKnight and J. Bailey, Eds., MIT Press, Cambridge, Mass., pp. 435--452. Google Scholar
- Meadows, C. 2001. A cost-based framework for analysis of denial of service in networks J. Comput. Sec. 9, 1/2, 143--164. Google Scholar
- Millen, J. 1992. A resource allocation model for denial of service. In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., pp. 137--147.Google Scholar
- Muralidhar, K., Batra, D., and Kirs, P. 1995. Accessibility, security, and accuracy in statistical databases: The case for the multiplicative fixed data perturbation approach. Manage. Sci. 41, 9 (Sept.), 1549--1564. Google Scholar
- NIST (National Institute of Standards and Technology). 1995. An Introduction to Computer Security: The NIST Handbook. (Special Publication 800-12).Google Scholar
- Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Sec. 3, 2 (May), 85--106. Google Scholar
- Peyravian, M., Roginsky, A., and Zunic, N. 1999. Hash-based encryption. Comput. Sec. 18, 4, 345--350.Google Scholar
- Pfleeger, C. 1997. Security in Computing (2nd ed.), Prentice-Hall, Englewood Cliffs, N.J. Google Scholar
- Power, R. 2001. 2001 CSI/FBI computer crime and security survey. Comput. Sec. J. 17, 2 (Spring), 29--51.Google Scholar
- Sandhu, R. S., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Sec. 1, 2 (Feb.), 105--135. Google Scholar
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Comput. 29, 2 (Feb.), 38--47. Google Scholar
- Schneier, B. 1996. Applied Cryptography (2nd ed.), Wiley. New York.Google Scholar
- Simmons, G. 1994. Cryptanalysis and protocol failures. Commun. ACM. 37, 11 (Nov.), 56--64. Google Scholar
- Straub, D. W. 1990. Effective IS security: An empirical study. Inf. Syst. Res. 1, 3, 255--276.Google Scholar
- Straub, D. W. and Welke, R. J. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quart. 23, 4, 441--469. Google Scholar
- Varian, H. R. 1997. How to build an economic model in your spare time. Part of a collection titled Passion and Craft: Economists at Work, ed. Michael Szenberg, University of Michigan Press, available at http://www.sims.berkeley.edu/∼hal/Papers/how.pdf.Google Scholar
- Vigna, G. and Kemmeerer, R. A. 1999. NetSTAT: a network-based intrusion detection system. J. Comput. Sec. 7, 1, 37--71. Google Scholar
- Wiseman, S. 1986. A secure capability computer system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif, pp. 86--94.Google Scholar
Index Terms
- The economics of information security investment
Recommendations
Firms' information security investment decisions: Stock market evidence of investors' behavior
In the information society, it is important for firms to manage their core information resources securely. However, the difficulty of measuring the return on an IT security investment is one of the critical obstacles for firms in making such investment ...
Risk-neutral evaluation of information security investment on data centers
Based on given data center network topology and risk-neutral management, this work proposes a simple but efficient probability-based model to calculate the probability of insecurity of each protected resource and the optimal investment on each security ...
An impact of information security investment on information security incidents: a case of Korean organizations
ICEC '16: Proceedings of the 18th Annual International Conference on Electronic Commerce: e-Commerce in Smart connected WorldInformation security incidents are serious threats for a modern business environment. Firms believe that an investment on information security contribute to firms avoiding security incidents. However, there is a little research on economic outcomes of ...
Comments