The economics of information security investment

@article{Gordon2002TheEO,
  title={The economics of information security investment},
  author={Lawrence A. Gordon and Martin P. Loeb},
  journal={ACM Trans. Inf. Syst. Secur.},
  year={2002},
  volume={5},
  pages={438-457}
}
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a… Expand

Figures and Topics from this paper

An economic analysis of the optimal information security investment in the case of a risk-averse firm
Abstract This paper presents an analysis of information security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utilityExpand
Economics of Information Security Investment in the Case of Simultaneous Attacks
TLDR
This model shows how a firm should allocate its limited security budget to defend against two types of security attacks simultaneously, and finds that a firm with a small security budget is better off allocating most or all of the investment to measures against one of the classes of attack. Expand
The importance of information security spending: an economic approach
TLDR
There is no silver bullet for modeling security risks so various methods that can be used as guidelines for professionals to make well informed decisions are discussed. Expand
Aligning information security investments with a firm's risk tolerance
Technology continually places greater demands on a firm to maintain, process, and communicate information. The security of this information, with respect to confidentiality, integrity, andExpand
Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach
TLDR
It is shown that cycles emerge endogenously given the policy-maker’s chosen trade-offs between investment and the deterioration of the system attributes, as the decision-maker determines the optimal investment horizon. Expand
Optimal Timing of Information Security Investment: A Real Options Approach
This chapter applies real options analytic framework to firms' investment activity in information security technology and then a dynamic analysis of information security investment is explored byExpand
Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability
  • K. Hausken
  • Economics, Computer Science
  • Inf. Syst. Frontiers
  • 2006
TLDR
This article presents classes of all four kinds of marginal return where the optimal investment is no longer capped at 1 / e, and presents an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets. Expand
Optimal Investment in Information Security: A Business Value Approach
TLDR
This study addresses related research questions and extends the existing model to take into account direct business benefits in optimizing security investments, filling a significant research gap. Expand
An economic model to evaluate information security investment of risk-taking small and medium enterprises
This paper analyzes information security investment decisions made by risk taking small and medium enterprises (SMEs) using the expected utility approach. It then compares these decisions to onesExpand
Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints
In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics andExpand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 51 REFERENCES
Why information security is hard - an economic perspective
  • Ross J. Anderson
  • Computer Science
  • Seventeenth Annual Computer Security Applications Conference
  • 2001
TLDR
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures. Expand
Effective IS Security: An Empirical Study
  • D. Straub
  • Business, Computer Science
  • Inf. Syst. Res.
  • 1990
TLDR
Investigation of whether a management decision to invest in IS security results in more effective control of computer abuse indicates that security countermeasures that include deterrent administrative procedures and preventive security software will result in significantly lower computer abuse. Expand
Accessibility, security, and accuracy in statistical databases: the case for the multiplicative fixed data perturbation approach
TLDR
A comparison of different security mechanisms reveals that fixed data perturbation is preferred because it maximizes both security and accessibility, and an investigation of the different approaches to fixed dataperturbation indicates that multiplicative method best meets these criteria. Expand
Coping With Systems Risk: Security Planning Models for Management Decision Making
TLDR
Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with systems risk, and this theory-based security program includes use of a security risk planning model, education/training in security awareness, and Countermeasure Matrix analysis. Expand
Threats to Information Systems: Today's Reality, Yesterday's Understanding
TLDR
A study investigating MIS executives' concern about a variety of threats found computer viruses to be a particular concern, highlighting a gap between the use of modern technology and the understanding of the security implications inherent in its use. Expand
Computer security - What should you spend your money on?
TLDR
Over the past decade or so, the information security industry has grown into a multi billion dollar business, providing solutions to the perceived threats to data confidentiality, integrity and availability. Expand
Towards Operational Measures of Computer Security
TLDR
The paper discusses similarities between reliability and security with the intention of working towards measures of 'operational security' similar to those that the authors have for reliability of systems, based on the analogy between system failure and security breach. Expand
Information systems planning: a model and empirical tests
Empirical studies of information systems planning practices in organizations indicate that wide variations exist. We propose and test a model based on agency theory and transaction-costs economics toExpand
Security in computing
TLDR
This book describes the security pitfalls inherent in many important computing tasks today and points out where existing controls are inadequate and serious consideration must be given to the risk present in the computing situation. Expand
A Cost-Based Framework for Analysis of Denial of Service Networks
TLDR
This paper shows how some principles that have already been used to make cryptographic protocols more resistant to denial of service can be formalized based on a modification of the Gong-Syverson fail-stop model of cryptographic protocols, and indicates the ways in which existing cryptographic protocol analysis tools could be modified to operate within this formal framework. Expand
...
1
2
3
4
5
...