The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January/February (2008 vol.25)
pp: 35-42
Rachel Rue , RAND Corp.
ABSTRACT
Software project managers have limited project resources. Requests for security improvements must compete with other requests, such as for new tools, more staff, and additional testing. Deciding how and whether to invest in cybersecurity protection requires knowing the answer to at least two questions: What is the likelihood of an attack, and what are the likely consequences of an attack? This article explores how answers to these questions have been sought and what obstacles lie in the way of understanding the answers. The authors discuss the need for data available to inform management decisions about cybersecurity investment, then examine models supporting decisions about trade-offs between investment and protection. Finally, they present a framework for comparing and contrasting economic models, so that project managers can make effective decisions about security. This article is part of a special issue on Security for the Rest of Us.
INDEX TERMS
cybersecurity, economics, models
CITATION
Shari Lawrence Pfleeger, Rachel Rue, "Cybersecurity Economic Issues: Clearing the Path to Good Practice", IEEE Software, vol.25, no. 1, pp. 35-42, January/February 2008, doi:10.1109/MS.2008.4
REFERENCES
1. M.E. Johnson and E. Goetz, "Embedding Information Security Into the Organization," IEEE Security and Privacy, vol. 5, no. 3, 2007, pp. 16–24.
2. S.L. Pfleeger, M. Libicki, and M. Webber, "I'll Buy That! Cybersecurity in the Internet Marketplace," IEEE Security and Privacy, vol. 5, no. 3, 2007, pp. 25–31.
3. R. Anderson, "Why Information Security Is Hard—An Economic Perspective," Proc. 17th Ann. Computer Security Applications Conf., Assoc. for Economic Service, 2001, pp. 358–365.
4. A. Arora, J.P. Caulkins, and R. Telang, "Sell First, Fix Later: Impact of Patching on Software Quality," Oct. 2004, http://ssrn.comabstract=670285.
5. D. Nizovtsev and M. Thursby, "Economic Analysis of Incentives to Disclose Software Vulnerabilities," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf20.pdf.
6. K. Campbell et al., "The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market," J. Computer Security, Mar. 2003, pp. 431–448.
7. R. Telang and S. Wattal, "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors: An Empirical Investigation," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdftelang_wattal.pdf .
8. A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf10.pdf.
9. E. Rescorla, "Is Finding Security Holes a Good Idea?" paper presented at 3rd Ann. Workshop Economics of Information Security (WEIS 04), 2004, www.dtc.umn.edu/weis2004rescorla.pdf.
10. B. Schneier, "Full Disclosure and the Window of Exposure," Crypto-gram Newsletter,15 Sept. 2000, www.schneier.comcrypto-gram-0009.html.
11. L.A. Gordon, M.P. Loeb, and W. Lucyshyn, "Sharing Information on Computer Systems: An Economic Analysis," J. Accounting and Public Policy, vol. 22, no. 6, 2003, pp. 461–485.
12. E. Gal-Or and A. Ghose, "The Economic Incentives for Sharing Security Information," Information Systems Research, vol. 16, no. 2, 2005, pp. 186–208.
13. R. Anderson, "Unsettling Parallels between Security and the Environment," paper presented at the Workshop Economics of Information Security (WEIS), 2002, www2.sims.berkeley.edu/resources/affiliates/ workshops/econsecurity/econws37.txt .
14. S. Schechter, "Computer Security Strength and Risk: A Quantitative Approach," doctoral dissertation, Division of Eng. and Applied Science, Harvard Univ., 2004.
15. A. Ozment, "Bug Auctions: Vulnerability Markets Reconsidered," paper presented at 3rd Ann. Workshop Economics of Information Security (WEIS 04), 2004, www.dtc.umn.edu/weis2004ozment.pdf.
16. K. Kannan and R. Telang, "Market for Software Vulnerabilities? Think Again," Management Science, vol. 51, no. 5, 2005, pp. 726–740.
17. A. Shostack, "Avoiding Liability: An Alternative Route to More Secure Products," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf44.pdf.
18. J. Kesan, R. Majuca, and W. Yurcik, "CyberInsurance as a Market-Based Solution to the Problem of Cybersecurity—A Case Study," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, http://infosecon.net/workshop/pdf42.pdf.
19. W.S. Baer and A. Parkinson, "Cyberinsurance in IT Security Management," IEEE Security and Privacy, vol. 5, no. 3, 2007, pp. 50–56.
20. L. Gordon and M. Loeb, "Return on Information Security Investments: Myths versus Realities," Strategic Finance, vol. 84, no. 5, 2002, pp. 26–31.
21. H. Cavusoglu, B. Mishra, and S. Raghunathan, "The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers," Int'l J. Electronic Commerce, vol. 9, no. 1, 2004, p. 70–104.
22. F. Farahmand et al., "A Management Perspective on Risk of Security Threats to Information Systems," Information Technology and Management, vol. 6, nos. 2–3, 2005, pp. 203–225.
23. S. Schechter, "Quantitatively Differentiating System Security," paper presented at 1st Workshop Economics of Information Security, 2002, www2.sims.berkeley.edu/resources/affiliates/ workshops/econsecurity/econws31.pdf .
24. M. Cremonini and P. Martini, "Evaluating Information Security Investments from Attackers Perspective: The Return-on-Attack," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005; www.infosecon.net/workshop/pdf23.pdf.
25. L. Gordon, M. Loeb, and S. Tashfeen, "A Framework for Using Insurance for Cyber-Risk Management," Comm. ACM, vol. 46, no. 3, 2003, pp. 81–85.
26. L. Gordon and M. Loeb, "Evaluating Information Security Investments Using the Analytical Hierarchy Process," Comm. ACM, vol. 48, no. 2, 2005, pp. 78–83.
27. L. Gordon and M. Loeb, Managing Cybersecurity Resources, McGraw-Hill, 2005.
28. J. Conrad, "Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, http://infosecon.net/workshop/pdf13.pdf.
29. K. Soo Hoo, "How Much Is Enough? A Risk-Management Approach to Computer Security," Consortium for Research on Information Security and Policy, Stanford Univ., 2000, http://iis-dbstanford.edu/pubs/11900soohoo.pdf .
30. F. Farahmand et al., "Assessing Damages of Information Security Incidents and Selecting Control Measures: A Case Study Approach," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf39.pdf.
31. H. Cavusoglu, B. Mishra, and S. Raghunathan, "A Model for Evaluating: IT Security Investments," Comm. ACM, vol. 47, no. 7, 2004, pp. 87–92.
32. R. Rue, S.L. Pfleeger, and D. Ortiz, "A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision Making," paper presented at 2007 Workshop Economics of Information Security (WEIS 07), 2007, http://weis07.infosecon.net/papers76.pdf .
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool