Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security

Organizations deploy systems technologies in order to support their ope­rations and achieve their business objectives. In so doing, they encounter tensions between the confidentiality, integrity, and availability of information, and must make investments in information security measures to address these concerns. We discuss how a macroeconomics-inspired model, analogous to models of interest rate policy used by central banks, can be used to understand trade-offs between investments against threats to confidentiality and availability. We investigate how such a model might be formulated by constructing a process model, based on empirically obtained data, of the use of USB memory sticks by employees of a financial services company.

[1]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[2]  A. Robert Nobay,et al.  Optimal Discretionary Monetary Policy in a Model of Asymmetric Central Bank Preferences , 2003 .

[3]  David J. Pym,et al.  The semantics and proof theory of the logic of bunched implications , 2002, Applied logic series.

[4]  David J. Pym,et al.  A Calculus and logic of resources and processes , 2006, Formal Aspects of Computing.

[5]  Graham Birtwistle,et al.  Discrete event modelling on SIMULA , 1987 .

[6]  Francisco J. Ruge-Murcia,et al.  The Inflation Bias When the Central Bank Targets, the Natural Rate of Unemployment , 2004 .

[7]  Graham M. Birtwistle,et al.  Getting Demos models right. (II) ... and theory , 2001, Simul. Pract. Theory.

[8]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[9]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[10]  Jstor,et al.  Invention in the Industrial Research Laboratory , 1963, Journal of Political Economy.

[11]  A. Zellner Bayesian Estimation and Prediction Using Asymmetric Loss Functions , 1986 .

[12]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[13]  Francisco Javier Ruge-Murcia Inflation Targeting under Asymmetric Preferences , 2003 .

[14]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[15]  Chris M. N. Tofts,et al.  Processes with probabilities, priority and time , 1994, Formal Aspects of Computing.

[16]  Brian Monahan,et al.  Predictive Modelling for Security Operations Economics ( Extended Abstract ) , 2006 .

[17]  Graham M. Birtwistle,et al.  Getting Demos models right. (I). Practice , 2001, Simul. Pract. Theory.

[18]  John B. Taylor Discretion versus policy rules in practice , 1993 .

[19]  R. Barro,et al.  A Positive Theory of Monetary Policy in a Natural Rate Model , 1981, Journal of Political Economy.

[20]  David Peel,et al.  Optimal Monetary Policy in a Model of Asymmetric Central Bank Preferences , 1998 .

[21]  David J. Pym,et al.  Errata for Formal Aspects of Computing (2006) 18:495–517 and their consequences , 2007, Formal Aspects of Computing.

[22]  Graham M. Birtwistle,et al.  A denotational semantics for a process-based simulation language , 1998, TOMC.

[23]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[24]  David J. Pym,et al.  Systems Modelling via Resources and Processes: Philosophy, Calculus, Semantics, and Logic , 2007, Computation, Meaning, and Logic.

[25]  Pamela Jordan Basics of qualitative research: Grounded theory procedures and techniques , 1994 .

[26]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[27]  Robin Milner,et al.  Calculi for Synchrony and Asynchrony , 1983, Theor. Comput. Sci..

[28]  David J. Pym,et al.  Predictive Modelling for Security Operations Economics , 2006 .