• Corpus ID: 16335591

Private Sector Cyber Security Investment: An Empirical Analysis

  title={Private Sector Cyber Security Investment: An Empirical Analysis},
  author={Brent R. Rowe and Michael P. Gallaher},
  booktitle={Workshop on the Economics of Information Security},
Organizations typically use very robust analysis techniques to determine how best to spend resources in order to increase revenue and decrease costs or losses. However, few organizations attempt such analysis processes to determine the level and type of cyber security mechanisms in which they invest and which they maintain. Key performance and evaluation metrics are not available, so those organizations that use quantitative analysis techniques typically have well developed internal tracking… 

Figures and Tables from this paper

What drives cybersecurity investment?: Organizational factors and perspectives from decision-makers

One of the leading perspectives from literature is that decisions about investments should be made based on a comprehensive cost-benefit analysis and on a cyber-risk assessment. However, many

Comparative industrial policy and cybersecurity: the US case

It is shown how there has been, and it is argued that there will likely continue to be, substantial public investment in the sector by the US government via industrial policy to address cybersecurity market failures.

Economic valuation for information security investment: a systematic literature review

A systematic literature review on approaches used to evaluate investments in information security results in a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work.

An Organizational Learning Perspective on Proactive vs. Reactive investment in Information Security

An empirical analysis of security investment in the healthcare sector finds that proactive security investments are associated with longer intervals before subsequent breaches than reactive investments, and that external regulatory pressure can stimulate organizational learning and change.

Cyber Risk Assessment for Capital Management

A novel model is presented to capture this unique dynamics of cyber risk known from engineering and to model loss distributions based on industry loss data and a particular company’s cybersecurity profile, leading to a new tool for allocating resources of the company between cybersecurity investments and loss-absorbing reserves.

Economic and Policy Frameworks for Cybersecurity Risks

ongress and the Obama administration have advanced dozens of proposals addressing cybersecurity. While many of these bills propose admirable policies, they often attempt to address a wide range of

The Economics of Malware

In many cases, an economic perspective on cybersecurity – and malware in particular – provides us with more powerful analysis and a fruitful starting point for new governmental policies: incentive

The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence

This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective.


A number of market-based incentive mechanisms that contribute to enhanced security but also other instances in which decentralised actions may lead to sub-optimal outcomes i.e. where significant externalities emerge are indicated.



The Economic Impact of Cyber-Attacks

This report summarizes the limited empirical data on attack costs, surveys recent theoretical work that seeks to overcome the absence of reliable and comprehensive statistics, and surveys the response of the insurance industry to rising perceptions of cyber-risk.

The Cost of Capital, Corporation Finance and the Theory of Investment

The potential advantages of the market-value approach have long been appreciated; yet analytical results have been meager. What appears to be keeping this line of development from achieving its

A Simulation Model for Managing Survivability of Networked Information Systems

A model to evaluate the tradeoffs between the cost of defense mechanisms for networked systems and the resulting expected survivability after a network attack is developed and can derive a cost/survivability curve that managers can use to decide on the appropriate level of security for their organizations.

The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market

Stock market participants appear to discriminate across types of breaches when assessing their economic impact on affected firms, consistent with the argument that the economic consequences of information security breaches vary according to the nature of the underlying assets affected by the breach.

Why information security is hard - an economic perspective

  • Ross J. Anderson
  • Computer Science
    Seventeenth Annual Computer Security Applications Conference
  • 2001
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures.

System Reliability and Free Riding

  • H. Varian
  • Economics
    Economics of Information Security
  • 2004
In the context of system reliability, the authors can distinguish three prototype cases: purely voluntary provision of public goods, individuals may tend to shirk, and an inefficient level of the public good.

Economics of the Public Sector

* Introduction * Economic Rationales for the State * Equity and Efficiency * Public Goods * Externalities * Asymmetric Information * Benefit Analysis * Public Choice * Government Failure * Taxation *

How much is enough? A risk management approach to computer security

It is revealed that the author of this chapter had had an affair with a woman while writing this chapter, but the details of the relationship and the woman's identity are not revealed.