Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System

Abstract The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The model comprises the target security levels for all identified business processes and the probability of a security accident together with the possible loss the enterprise may suffer. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures. The model allows deep analyses and computations providing quantitative assessments of different options for investments, which translate into recommendations facilitating the selection of the best solution and the decision-making thereof. The model was tested using empirical examples with data from real business environment.

[1]  Borka Jerman-Blazic,et al.  Managing the investment in information security technology by use of a quantitative modeling , 2012, Inf. Process. Manag..

[2]  Borka Jerman-Blazic,et al.  An economic modelling approach to information security risk management , 2008, Int. J. Inf. Manag..

[3]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[4]  Lawrence A. Gordon,et al.  Using information security as a response to competitor analysis systems , 2001, CACM.

[5]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[6]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[7]  Huseyin Cavusoglu,et al.  Economics of IT Security Management , 2004, Economics of Information Security.

[8]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[9]  Kanta Matsuura Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model , 2008, WEIS.

[10]  R G Coyle,et al.  Guest Editor's Introduction , 1999, J. Oper. Res. Soc..

[11]  Hideyuki Tanaka,et al.  Vulnerability and information security investment: An empirical analysis of e-local government in Japan , 2005 .

[12]  Wei Liu,et al.  An Empirical Analysis of Security Investment in Countermeasures Based on an Enterprise Survey in Japan , 2006, WEIS.

[13]  Borka Jerman-Blazic,et al.  Towards a standard approach for quantifying an ICT security investment , 2008, Comput. Stand. Interfaces.

[14]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[15]  Daniel J. Ryan,et al.  Expected benefits of information security investments , 2006, Comput. Secur..

[16]  Shamkant B. Navathe,et al.  Managing vulnerabilities of information systems to security incidents , 2003, ICEC '03.

[17]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.