The economics of information security investment

This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.

[1]  Lawrence A. Gordon,et al.  Using information security as a response to competitor analysis systems , 2001, CACM.

[2]  R. Weber,et al.  Information systems planning: a model and empirical tests , 1996 .

[3]  Allen Roginsky,et al.  Hash-based encryption system , 1999, Comput. Secur..

[4]  Keith Buzzard,et al.  Computer security - What should you spend your money on? , 1999, Comput. Secur..

[5]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[6]  Dorothy E. Denning,et al.  A taxonomy for key escrow encryption systems , 1996, CACM.

[7]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[8]  Simon R. Wiseman,et al.  A Secure Capability Computer System , 1986, 1986 IEEE Symposium on Security and Privacy.

[9]  Deborah A. Frincke,et al.  Balancing cooperation and risk in intrusion detection , 2000, TSEC.

[10]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[11]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[12]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[13]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[14]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[15]  Lee W. McKnight,et al.  Information security for Internet commerce , 1997 .

[16]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[17]  Lee W. McKnight,et al.  Information Security for Electronic Commerce on the Internet: The Need for a New Policy and New Research , 1995 .

[18]  Hal R. Varian,et al.  How to Build an Economic Model in Your Spare Time , 1997 .

[19]  S. Harrington,et al.  Risk Management and Insurance , 1998 .

[20]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[22]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..

[23]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[24]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[25]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[26]  Eugene H. Spafford,et al.  Identification of Host Audit Data to Detect Attacks on Low-level IP Vulnerabilities , 1999, J. Comput. Secur..

[27]  Gustavus J. Simmons,et al.  Cryptanalysis and protocol failures , 1994, CACM.

[28]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[29]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[30]  Thomas Finne,et al.  A conceptual framework for information security management , 1998, Comput. Secur..

[31]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[32]  Ravi S. Sandhu,et al.  The ARBAC97 model for role-based administration of roles: preliminary description and outline , 1997, RBAC '97.

[33]  Dinesh Batra,et al.  Accessibility, security, and accuracy in statistical databases: the case for the multiplicative fixed data perturbation approach , 1995 .