The economics of information security investment

  title={The economics of information security investment},
  author={Lawrence A. Gordon and Martin P. Loeb},
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a… 

Figures from this paper

Returns to information security investment: Endogenizing the expected loss

  • K. Hausken
  • Economics, Computer Science
    Inf. Syst. Frontiers
  • 2014
This paper endogenizes the value of an information set which has to be produced and protected and allows the breach probability to be not only convex, but concave, which means that substantial security investment is needed to deter most perpetrators.

Vulnerability and Information Security Investment Under Interdependent Risks: A Theoretical Approach

  • W. Shim
  • Computer Science, Economics
  • 2011
An economic model is developed that shows the optimal level of information security investment in the context of interdependent security risks and illustrates that an agent should invest a different fraction of the expected loss compared to security investments in the situation of independent security risks.

Economics of Information Security Investment in the Case of Simultaneous Attacks

This model shows how a firm should allocate its limited security budget to defend against two types of security attacks simultaneously, and finds that a firm with a small security budget is better off allocating most or all of the investment to measures against one of the classes of attack.

The importance of information security spending: an economic approach

There is no silver bullet for modeling security risks so various methods that can be used as guidelines for professionals to make well informed decisions are discussed.

Aligning information security investments with a firm's risk tolerance

A way to measure information security investments potential by calculating how the investment affects the firm's level or risk averseness is proposed to give management a better idea of how information security Investments will affect the bottom line the by trying to determine the ROI of such an investment.

Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability

  • K. Hausken
  • Computer Science
    Inf. Syst. Frontiers
  • 2006
This article presents classes of all four kinds of marginal return where the optimal investment is no longer capped at 1 / e, and presents an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets.

Optimal Investment in Information Security: A Business Value Approach

This study addresses related research questions and extends the existing model to take into account direct business benefits in optimizing security investments, filling a significant research gap.

An Economic Analysis of Security Investment in Information Systems with Security Threats: A Stochastic Approach

The approach in this paper can be useful for a security investment decision-making to determine the optimal investment portfolio.



Why information security is hard - an economic perspective

  • Ross J. Anderson
  • Computer Science
    Seventeenth Annual Computer Security Applications Conference
  • 2001
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures.

Effective IS Security: An Empirical Study

Investigation of whether a management decision to invest in IS security results in more effective control of computer abuse indicates that security countermeasures that include deterrent administrative procedures and preventive security software will result in significantly lower computer abuse.

Accessibility, security, and accuracy in statistical databases: the case for the multiplicative fixed data perturbation approach

A comparison of different security mechanisms reveals that fixed data perturbation is preferred because it maximizes both security and accessibility, and an investigation of the different approaches to fixed dataperturbation indicates that multiplicative method best meets these criteria.

Coping With Systems Risk: Security Planning Models for Management Decision Making

Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with systems risk, and this theory-based security program includes use of a security risk planning model, education/training in security awareness, and Countermeasure Matrix analysis.

Threats to Information Systems: Today's Reality, Yesterday's Understanding

A study investigating MIS executives' concern about a variety of threats found computer viruses to be a particular concern, highlighting a gap between the use of modern technology and the understanding of the security implications inherent in its use.

Towards Operational Measures of Computer Security

The paper discusses similarities between reliability and security with the intention of working towards measures of 'operational security' similar to those that the authors have for reliability of systems, based on the analogy between system failure and security breach.

Information systems planning: a model and empirical tests

Empirical studies of information systems planning practices in organizations indicate that wide variations exist. We propose and test a model based on agency theory and transaction-costs economics to

Security in computing

A Cost-Based Framework for Analysis of Denial of Service Networks

This paper shows how some principles that have already been used to make cryptographic protocols more resistant to denial of service can be formalized based on a modification of the Gong-Syverson fail-stop model of cryptographic protocols, and indicates the ways in which existing cryptographic protocol analysis tools could be modified to operate within this formal framework.

Balancing cooperation and risk in intrusion detection

This paper discusses the detection of distributed attacks across cooperating enterprises by defining relationships between cooperative hosts, then uses the take-grant model to identify both when a host could identify a widespread attack and when that host is at increased risk due to data sharing.