Mis-spending on information security measures: Theory and experimental evidence

  title={Mis-spending on information security measures: Theory and experimental evidence},
  author={Roozmehr Safi and Glenn J. Browne and Azadeh Jalali Naini},
  journal={Int. J. Inf. Manag.},
Abstract Information resources are becoming increasingly important to individuals and organizations, and ensuring their security is a major concern. While research in information security has adopted primarily a quantitative method to determine how and how much to invest in security, most decision makers rely on non-quantitative methods for this purpose, thereby introducing a considerable amount of as yet unexplained subjective judgment to the problem. We use a behavioral decision making… Expand
1 Citations


Research Note - A Value-at-Risk Approach to Information Security Investment
The concept of value-at-risk is introduced to measure the risk of daily losses an organization faces due to security exploits and use extreme value analysis to quantitatively estimate the value at risk. Expand
An economic analysis of the optimal information security investment in the case of a risk-averse firm
Abstract This paper presents an analysis of information security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utilityExpand
Measuring Attitude towards Risk Treatment Actions amongst Information Security Professionals : an Experimental Approach
Risk management lies at the core of information security. Professionals need to assess risk and make decisions on how to treat risk. Risk perception and judgement of individuals are inherentlyExpand
The economics of information security investment
An economic model is presented that determines the optimal amount to invest to protect a given set of information and takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. Expand
Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements
To help quantitatively measure the level of cybersecurity for a computer-based information system, two indices are presented, the threat-impact index and the cyber-vulnerability index, based on vulnerability trees. Expand
Why information security is hard - an economic perspective
  • Ross J. Anderson
  • Computer Science
  • Seventeenth Annual Computer Security Applications Conference
  • 2001
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures. Expand
Misbehaving: The Making of Behavioral Economics
Nobel laureate Richard H. Thaler has spent his career studying the radical notion that the central agents in the economy are humans-predictable, error-prone individuals. Misbehaving is his arresting,Expand
Developmental Reversals in Risky Decision Making
The results show that, although framing biases are irrational, they are the ironical output of cognitively advanced mechanisms of meaning making, and the growth of experience-based intuition predicts this developmental reversal. Expand
Investigating security investment impact on firm performance
Purpose - – The purpose of this study is to propose to use the economic value added to measure firm performance against information security investments. Design/methodology/approach - – The authorsExpand
An integrative study of information systems security effectiveness
This study develops an integrative model of IS security effectiveness and empirically tests the model, finding greater deterrent efforts and preventive measures were found to lead to enhancedIS security effectiveness. Expand