An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

Current Research in Information Security and Privacy

This paper reviews a range of current MIS research literature to identify research topics in information security and privacy. Results of this study indicate IT security provides the basis of current research in the area of information security and privacy. The results of this study reveal limited research in this area, particularly at the organizational level. One conclusion is that this lack of research results from organizational unwillingness to share information and statistics on security. Another conclusion is that research is needed in the area of information privacy. One area of future research may be organizational privacy policies. Two particular areas of interest may be user perceptions of privacy policies and opt-in/opt-out policies and procedures. Additionally, research related to individuals’ concern for information privacy may be less problematic to study than organizational security issues. Research in this area is important because user concern for information privacy has the potential to affect the future of e-commerce

Investment in Information Security Measures: A Behavioral Investigation

In a pilot study, we employed a series of novel economic games to investigate the underexplored behavioral aspects of security investment decisions and security investment structure decisions (i.e., budgeting the security expenditure among different types of security measures). In our study, decision makers exhibited a bias toward investing in prevention even though investing in detection and response yielded the same return on security investment. We also demonstrated that it is difficult for human decision makers to determine the optimal security investment amount even when return on investment is readily calculable. Nearly all participants invested in security when the risk was so small that the economically justifiable security investment amount was zero

A Model for B2B IT Security: Multilayer Defense Facing Interdependent Cyber Risk

B2B firms couple their business processes for better efficiency. Integrated Business processes require that the firms’ networks be interconnected. This practice enables breach incidence to travel from one firm to another, making the IT security risks of the firms strategically interdependent. The present practice of multilayered defense against IT breaches resembles stage-gates, bringing operational interdependency between the successive layers of defense in a B2B firm. Such inter-firm and inter-layer interdependences in B2B relationship ultimately results in complex decision scenarios in the IT security regime. We propose a comprehensive game theoretic model to capture the above complex, intertwined interdependencies of IT security risk in B2B firms. We also provide some initial results to explain the B2B firms’ incentive to invest in IT security

Cybersecurity Scenario Modeling: Imagining the Black Swans for Digital Infrastructures Risk Management

The term “digital infrastructures” is used to refer to one or more of a combination of IoT and its artifacts, the cloud, cyber-physical systems, and digitized business architectures. As digital infrastructures become increasingly complex and interdependent, impacts from disruptive events have the potential to be more harmful than mere inconveniences and financial losses. The risk from these catastrophic events to digital infrastructures may leave many organizations unprepared. To predict so-called “Black Swan Events to increasingly complex digital infrastructures this research in progress postulates that risk management activities should be conducted outside of existing frameworks. In this paper, we argue that qualitative scenario risk modeling exercises utilizing diverse stakeholders may become even more important than other types of risk analysis in the prediction of threats to digital infrastructures. We discuss the importance of diverse stakeholders in developing structured, qualitative, scenario models to predict Black Swan Events to digital infrastructures. We discuss potential issues and solutions for the cataloging and quantification of the use cases developed from qualitative event scenario modeling and the next steps for this research

EVALUATING THE PERFORMANCE OF INFORMATION SECURITY: A BALANCED SCORECARD APPROACH

This paper, a research in progress, presents a balanced scorecard based framework for managing and evaluating the performance of information security in organizations. Acknowledging the multi-dimensionality of information security and the various value propositions of different constituents, we contend that for organizations to maximize the value of their information security effort, they should strike a balance between four information security capabilities pertaining to four perspectives: the financial, the customer, the internal processes, and the learning and growth perspectives. The proposed framework supplements the traditional financial perspective with three non-financial perspectives and thus accounts for the qualitative and intangible benefits of information security. Furthermore, it captures the technical and socio-organizational dimensions of information security. Finally, the proposed framework, through its robust theoretical and methodological foundation, holds the promise of maximizing the effectiveness of the information security endeavor in organizations

Replace or Revise? A Case Study Investigating the Replacement of an Organizational Website

When should an organization’s web page be replaced rather than updated? As Internet technologies evolve, organizations are often urged to keep pace. Yet replacing a web page, or creating an entirely new web page can be both a risky and expensive proposition. Not only are there financial costs of starting a new project, there are also pitfalls of working through the challenges of a new technology that may result in gaps in service, lost sales opportunities, or even lost customers. This paper examines one organization\u27s choice to replace an existing website rather than revise the website. The original website is compared to the replacing website through both an organizational and a technical model. The differences between the two websites provide both managers and academics with a hueristic or bedeker for evaluating the replacement or revision of an organization\u27s website

Funding model for port information system cyber security facilities with incomplete Hacker information available

Article describes the model developed for the module of port information system cyber security facilities funding decision making support system. The model is based on multistage game theory toolkit. The solution offered allows an opportunity for managers of information safety systems, particularly port information systems and technologies, to carry out preliminary assessment of financial strategies for development of effective cyber safety systems. The distinctive feature of the model is the assumption that the defending party does not have full information on the financing strategies of the attacking party and on the state of its financial resources used to break cyber security barriers of the port information system. The solution employs mathematical apparatus of bilinear turn-based multistage quality game with several terminal surfaces. A multiple-option simulation experiment was carried out to ensure validity of the model. The results of the experiment will also be described herein. Thus, in the article at the first time, decision of the game was shown for all cases of the correlation of game parameters for the protection side of the port information system (PIS) and hackers seeking to overcome the boundaries of cybersecurity. The solution found in the article will be useful for the created decision support system, in particular, for the situation when the attacker uses a mixed financial strategy of hacking the information system

Prospect Theory and Information Security Investment Decisions

Most articles that discuss the economics of security focus on the use of rational choice decision models for evaluating investment alternatives. However, security investment decisions involve risk and several researchers have noted that risk related decisions often violate the fundamental principles of rational choice decision models. Accordingly, we assert that problems exist with using these models to explain security investment decisions. Further, we believe that the development of prescriptive models to guide investment decisions requires a deeper understanding of the cognitive processes involved. To test these ideas, we introduce a study that uses prospect theory to analyze security practitioners’ investment decisions. The article includes a discussion of our methodology to electronically assess security practitioners’ preference patterns. Additionally, we discuss data collection efforts which are currently in-process and future plans to analyze the collected data. Interim analytical results of data received prior to AMCIS 2012 will be presented to conference attendees