Cybersecurity Economic Issues: Clearing the Path to Good Practice

Software project managers have limited project resources. Requests for security improvements must compete with other requests, such as for new tools, more staff, or additional testing. Deciding how and whether to invest in cybersecurity protection requires knowing the answer to at least two questions: What is the likelihood of an attack, and what are its likely consequences? Security analysts understand a system's vulnerability to potential cyberattacks fairly well, but to date, research on the economic consequences of cyberattacks has been limited, dealing primarily with microanalyses of attacks' direct impacts on a particular organization. Many managers recognize the significant potential of a cyberattack's effects to cascade from one computer or business system to another, but there have been no significant efforts to develop a methodology to account for both direct and indirect costs. Without such a methodology, project managers and their organizations are hard pressed to make informed decisions about how much to invest in cybersecurity and how to ensure that security resources are used effectively. In this article, we explore how others have sought answers to our two questions. We describe the data available to inform decisions about investing in cybersecurity and look at research models of the trade-offs between investment and protection. The framework we present can help project managers find appropriate models with credible data so that they can make effective security decisions.

[1]  James R. Conrad,et al.  Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations , 2005, WEIS.

[2]  Rachel Rue,et al.  A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making , 2007, WEIS.

[3]  Lawrence A. Gordon,et al.  Return on information security investments: Myths vs. Realities. , 2002 .

[4]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[5]  Adam Shostack,et al.  Avoiding Liability: An Alternative Route to More Secure Products , 2005, WEIS.

[6]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[7]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[8]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[9]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[10]  Dmitri Nizovtsev,et al.  Economic Analysis of Incentives to Disclose Software Vulnerabilities , 2005, WEIS.

[11]  Walter S. Baer,et al.  Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[12]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[13]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[14]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[15]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[16]  A GordonLawrence,et al.  Evaluating information security investments using the analytic hierarchy process , 2005 .

[17]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[18]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[19]  Shamkant B. Navathe,et al.  Assessing Damages of Information Security Incidents and Selecting Control Measures, a Case Study Approach , 2005, WEIS.

[20]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[21]  Shamkant B. Navathe,et al.  A Management Perspective on Risk of Security Threats to Information Systems , 2005, Inf. Technol. Manag..

[22]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[23]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[24]  Stuart E. Schechter,et al.  Quantitatively Differentiating System Security , 2002 .

[25]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[26]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[27]  Rahul Telang,et al.  Sell First, Fix Later: Impact of Patching on Software Quality , 2004 .

[28]  William Yurcik,et al.  Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity , 2005, WEIS.

[29]  Shari Lawrence Pfleeger,et al.  I'll Buy That! Cybersecurity in the Internet Marketplace , 2007, IEEE Security & Privacy.