An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

Risk mitigation decisions for it security

Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM

Coordination in Network Security Games: a Monotone Comparative Statics Approach

Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. In this paper, we focus on the question of incentive alignment for agents of a large network towards a better security. We start with an economic model for a single agent, that determines the optimal amount to invest in protection. The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent's vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested. Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better security. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities. Moreover alignment of incentives typically implies a coordination problem, leading to an equilibrium with a very high price of anarchy.Comment: 10 pages, to appear in IEEE JSA

Are Canadian pension plans disadvantaged by the current structure of portfolio regulation?

We investigate the performance of Canadian pension funds relative to those from the UK and US, in the light of the ongoing quantitative asset restrictions that still apply in Canada, compared with the purer prudent person approach in the UK and US. We find that although Canadian funds often obtain better combinations of return and risk, returns are often less than could be obtained given financial market conditions, as shown by dummy portfolios split evenly between bonds and equities, or diversified into real estate, as well as mean-variance optimal portfolios. In contrast, UK and US funds typically outperform such benchmarks. Combined with criticisms of specific Canadian regulations in the light of finance theory and empirical evidence, the paper makes a case for removal of residual quantitative restrictions in Canada, and their replacement by sole prudent person regulations

Portfolio regulation of life insurance companies and pension funds

This paper examines the rationale, nature and financial consequences of two alternative approaches to portfolio regulations for the long-term institutional investor sectors life insurance and pension funds. These approaches are, respectively, prudent person rules and quantitative portfolio restrictions. The argument draws on the financial-economics of investment, the differing characteristics of institutions’ liabilities, and the overall case for regulation of financial institutions. Among the conclusions are: · regulation of life insurance and pensions need not be identical; · prudent person rules are superior to quantitative restrictions for pension funds except in certain specific circumstances (which may arise notably in emerging market economies), and; · although in general restrictions may be less damaging for life insurance than for pension funds, prudent person rules may nevertheless be desirable in certain cases also for this sector, particularly in competitive life sectors in advanced countries, and for pension contracts offered by life insurance companies. These results have implications inter alia for an appropriate strategy of liberalisation. 1 The author is Professor of Economics and Finance, Brunel University, Uxbridge, Middlesex UB3 4PH, United Kingdom (e-mail ‘[email protected]’, website: ‘www.geocities.com/e_philip_davis’). He is also a Visiting Fellow at the National Institute of Economic and Social Research, an Associate Member of the Financial Markets Group at LSE, Associate Fellow of the Royal Institute of International Affairs and Research Fellow of the Pensions Institute at Birkbeck College, London. Work on this topic was commissioned by the OECD. Earlier versions of this paper were presented at the XI ASSAL Conference on Insurance Regulation and Supervision in Latin America, Oaxaca, Mexico, 4-8 September 2000, and at the OECD Insurance Committee on 30 November 2000. The author thanks participants at the conference and A Laboul for helpful comments. Views expressed are those of the author and not necessarily those of the institutions to which he is affiliated, nor those of the OECD. This paper draws on Davis and Steil (2000)

Solutions for Impact Investors: From Strategy to Implementation

In writing this monograph, our main goal is to provide impact investors with tools to tighten the link between their investment decisions and impact creation. Our intent is threefold: to attract more capital to impact investing; to assist impact investors as they move from organizational change to executing and refining their impact investment decision-making process; and to narrow the gap within foundations between program professionals and investment professionals thereby contributing to a mutual understanding and implementation of a portfolio approach to impact investing.Additionally, we intend to help break down the barriers making it difficult to identify opportunities in impact investing. To this end, we provide examples throughout the monograph and at www.rockpa.org/impactinvesting of impact investment opportunities in most major asset classes.While we understand the important role that impact investors can play in providing financial capital, we also want to acknowledge the wide range of non-financial resources needed to address the world's problems. Our intent with this monograph is not to provide a comprehensive list of investments across asset classes nor any type of investment advice with regard to the selected profiles. We strongly encourage the reader to conduct their own assessment and evaluation for risk and suitability before considering any investment

The Knowledge Gap in Workplace Retirement Investing and the Role of Professional Advisors

The dramatic shift from traditional pension plans to participant-directed 401(k) plans has increased the obligation of individual investors to take responsibility for their own retirement planning. With this shift comes increasing evidence that investors are making poor investment decisions. This Article seeks to uncover the reasons for poor investment decisions. We use a simulated retirement investing task and a new financial literacy index to evaluate the role of financial literacy in retirement investment decisionmaking in a group of nonexpert participants. Our results suggest that individual employees often lack the skills necessary to support the current model of participant-directed investing. We show that less knowledgeable participants allocate too little money to equity, engage in naive diversification, fail to identify dominated funds, and are inattentive to fees. Over the duration of a retirement account, these mistakes can cost investors hundreds of thousands of dollars. We then explore the capacity of professional advisors to mitigate this problem. Using the same study with a group of professional advisors, we document a predictable but nonetheless dramatic knowledge gap between professionals and ordinary investors. The professional advisors were far more financially literate and made better choices among investment alternatives. Our results highlight the potential value of professional advice in mitigating the effects of financial illiteracy in retirement planning. Our findings suggest that, in weighing the costs of heightened regulation against the value of reducing possible conflicts of interest, regulators need to be sensitive to the knowledge gap

Investing in Prevention or Paying for Recovery - Attitudes to Cyber Risk

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Broadly speaking an individual can invest time and effort to avoid becoming victim to a cyber attack and/or they can invest resource in recovering from any attack. We introduce a new game called the pre-vention and recovery game to study this trade-off. We report results from the experimental lab that allow us to categorize different approaches to risk taking. We show that many individuals appear relatively risk loving in that they invest in recovery rather than prevention. We find little difference in behavior between a gain and loss framing