Identifying How Firms Manage Cybersecurity Investment

We report on a set of 40 semi-structured interviews with information security executives and managers at a variety of firms and government agencies. The purpose of the interviews was to learn more about how organizations make cybersecurity investment decisions: how much support they receive to execute their mission, how they prioritize which threats to defend against, and how they choose between competing security controls. We find that most private sector executives believe that their firms adequately fund cybersecurity, but that finding qualified personnel inhibits the pace of adoption of new controls. Most firms do not calculate return on investment (ROI) or other outcome-based quantitative investment metrics; instead, they opt for processbased frameworks such as NIST and COBIT to guide strategic investment decisions. Finally, we note that CISOs in government face considerable challenges compared to their private-sector counterparts.

[1]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[2]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[3]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[4]  Felix C. Freiling,et al.  On Metrics and Measurements , 2005, Dependability Metrics.

[5]  M. Eric Johnson,et al.  Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm , 2005, WEIS.

[6]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[7]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[8]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[9]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[10]  Scott Dynes Information Risk Management and Resilience , 2009, Critical Infrastructure Protection.

[11]  Rainer Böhme,et al.  Security Metrics and Security Investment Models , 2010, IWSEC.

[12]  Tyler Moore,et al.  The economics of cybersecurity: Principles and policy options , 2010, Int. J. Crit. Infrastructure Prot..

[13]  Tyler Moore,et al.  Securing wastewater facilities from accidental and intentional harm: A cost-benefit analysis , 2013, Int. J. Crit. Infrastructure Prot..

[14]  Andrew C. Simpson,et al.  Policy, Statistics, and Questions: Reflections on UK Cyber Security Disclosures , 2016, WEIS.

[15]  Izak Benbasat,et al.  Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources , 2015, Inf. Manag..

[16]  Martin C. Libicki,et al.  The Defender's Dilemma: Charting a Course Toward Cybersecurity , 2015 .