To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool | SpringerLink
Skip to main content
Springer Nature Link
Log in

To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool

  • Chapter
  • First Online:
The Economics of Information Security and Privacy

Abstract

The threat of information security (IS) breaches is omnipresent. Large organizations such as Sony or Lockheed Martin were recently attacked and lost confidential customer information. Besides targeted attacks, virus and malware infections, lost or stolen laptops and mobile devices, or the abuse of the organizational IT through employees, to name but a few, also put the security of assets in jeopardy. To defend against IS threats, organizations invest in IS countermeasures preventing, or, at least, reducing the probability and the impact of IS breaches. As IS budgets are constrained and the number of assets to be protected is large, IS investments need to be deliberately evaluated. Several approaches for the evaluation of IS investments are presented in the literature. In this chapter, we identify, compare, and evaluate such approaches using the example of a policy and security configuration management tool. Such a tool is expected to reduce the costs of organizational policy and security configuration management and to increase the trustworthiness of organizations. It was found that none of the analyzed approaches can be used without reservation for the assessment of the economic viability of the policy and security configuration management tool used as an example. We see, however, considerable potential for new approaches combining different elements of existing approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 11439
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 14299
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
JPY 14299
Price includes VAT (Japan)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Al-Humaigani, M., Dunn, D.B.: A model of return on investment for information systems security. In: Proceedings of the 46th IEEE International Midwest Symposium on Circuits & Systems, Cairo, vols. 1–3, pp. 483–485 (2003)

    Google Scholar 

  2. Anderson, R., Schneier, B.: Guest editors’ introduction: economics of information security. IEEE Secur. Priv. 3(1), 12–13 (2005)

    Article  Google Scholar 

  3. Bagchi, K., Udo, G.: An analysis of the growth of computer and Internet security breaches. Commun. Assoc. Inf. Syst. 12, 684–700 (2003)

    Google Scholar 

  4. Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating information security investments using the analytic hierarchy process. Commun. ACM 48(2), 78–83 (2005)

    Article  Google Scholar 

  5. Böhme, R.: Security metrics and security investment models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) Security Metrics and Security Investment Models. Lecture Notes in Computer Science, vol. 6434, pp. 10–24. Springer, Berlin/Heidelberg (2010)

    Google Scholar 

  6. Böhme, R., Moore, T.: The iterated weakest link – a model of adaptive security investment. In: Proceedings of the 8th Workshop on the Economics of Information Security (WEIS), London (2009)

    Google Scholar 

  7. Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering, Orlando, pp. 232–240. ACM (2002)

    Google Scholar 

  8. Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT security management: four improvements to current security practices. Commun. AIS 14, 65–75 (2004)

    Google Scholar 

  9. Cavusoglu, H., Mishra, B., Raghunathan, S.: A model for evaluating IT security investments. Commun. ACM 47(7), 87–92 (2004)

    Article  Google Scholar 

  10. Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Inf. Syst. Res. 16(1), 28–46 (2005)

    Article  Google Scholar 

  11. Computerworld: Honda Canada breach exposed data on 280,000 individuals. Website: http://www.computerworld.com/s/article/9217094/Update_Honda_Canada_breach_exposed_data_on_280_000_individuals (2011). Last access 1 Feb 2012

  12. Computerworld: RSA warns SecurID customers after company is hacked. Website: http://www.computerworld.com/s/article/9214757/RSA_warns_SecurID_customers_after_company_is_hacked (2011). Last access 1 Feb 2012

  13. Cremonini, M., Martini, P.: Evaluating information security investments from attackers perspective: the Return-On-Attack (ROA). In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge (2005)

    Google Scholar 

  14. CSI Computer Survey: 14th Annual CSI Computer Crime and Security Survey, San Francisco (2009)

    Google Scholar 

  15. Deloitte: Raising the bar: 2011 TMT Global security study – key findings. http://www.deloitte.com/assets/Dcom-Global/Local%20Assets/Documents/TMT/dttl_TMT%202011%20Global%20Security%20Survey_High%20res_191111.pdf (2011)

  16. Franqueira, V., Houmb, S., Daneva, M.: Using real option thinking to improve decision making in security investment. In: Meersman, R., Dillon, T., Herrero, P. (eds.) On the Move to Meaningful Internet Systems. Lecture Notes in Computer Science, vol. 6426, pp. 619–638. Springer, Berlin/Heidelberg (2010)

    Google Scholar 

  17. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)

    Article  Google Scholar 

  18. Gordon, L.A., Loeb, M.P.: Budgeting process for information security expenditures. Commun. ACM 49(1), 121–125 (2006)

    Article  Google Scholar 

  19. Gordon, L.A., Loeb, M.P.: Economic aspects of information security: an emerging field of research. Inf. Syst. Front. 8(5), 335–337 (2006)

    Article  Google Scholar 

  20. Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Information security expenditures and real options: a wait-and-see approach. Comput. Secur. J. 19(2), 1–7 (2003)

    Google Scholar 

  21. Guardian, T.: Sony suffers second data breach with theft of 25 m more user details. Website: http://www.guardian.co.uk/technology/blog/2011/may/03/sony-data-breach-online-entertainment (2011). Last access 1 Feb 2012

  22. Herath, H.S.B., Herath, T.C.: Investments in information security: a real options perspective with Bayesian postaudit. J. Manage. Inf. Syst. 25(3), 337–375 (2008)

    Article  Google Scholar 

  23. Huang, C.D., Hu, Q., Behara, R.S.: An economic analysis of the optimal information security investment in the case of a risk-averse firm. Int. J. Prod. Econ. 114(2), 793–804 (2008)

    Article  Google Scholar 

  24. Kaplan, R.S., Norton, D.P.: The balanced scorecard–measures that drive performance. Harv. Bus. Rev. 70(1), 71–79 (1992)

    Google Scholar 

  25. Kark, K., Orlowv, L.M., Bright, S.: Forrester Research: The change and configuration management software market (2007)

    Google Scholar 

  26. Liginlal, D., Sim, I., Khansa, L.: How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 28(3–4), 215–228 (2009)

    Google Scholar 

  27. Liu, W., Tanaka, H., Matsuura, K.: Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Inf. Media Technol. 3(2), 464–478 (2008)

    Google Scholar 

  28. Matsuura, K.: Productivity space of information security in an extension of the Gordon-Loeb’s investment model. In: Proceedings of the 7th Workshop on the Economics of Information Security (WEIS), Hanover (2008)

    Google Scholar 

  29. Mizzi, A.: Return on information security investment: the viability of an anti-spam solution in a wireless environment. Int. J. Netw. Secur. 10(1), 18–24 (2010)

    Google Scholar 

  30. Oehrlich, E., Lambert, N.: Forrester Research: How to manage your information security policy framework (2006). http://www.forrester.com/The+Change+And+Configuration+Management+Software+Market/fulltext/-/E-RES42580

  31. Sadiq, S., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance: business process management. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) Business Process Management. Lecture Notes in Computer Science, vol. 4714, pp. 149–164. Springer, Berlin/Heidelberg (2007)

    Google Scholar 

  32. Schneier, B.: Security ROI. Website: http://www.schneier.com/blog/archives/2008/09/security_roi_1.html (2008). Last access 1 Feb 2012

  33. Shirey, R.: Internet security glossary – RFC 2828. Tech. rep., The Internet Engineering Task Force – Network Working Group. http://www.ietf.org/rfc/rfc2828.txt (2000)

  34. Sklavos, N., Souras, P.: Economic models and approaches in information security for computer networks. Int. J. Netw. Secur. 2(1), 14–20 (2006)

    Google Scholar 

  35. Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI) – a practical quantitative modell. J. Res. Pract. Inf. Technol. 38(1), 55–66 (2006)

    Google Scholar 

  36. Su, X.: An overview of economic approaches to information security management. Tech. rep., Centre for Telematics and Information Technology, University of Twente (2006)

    Google Scholar 

  37. Tallau, L.J., Gupta, M., Sharman, R.: Information security investment decisions: evaluating the balanced scorecard method. Int. J. Bus. Inf. Syst. 5(1), 34–57 (2010)

    Google Scholar 

  38. Tsiakis, T.K., Pekos, T.: Analysing and determining return on investment for information security. In: Proceedings of the International Conference on Applied Economics (ICOAE), Chania, Crete, pp. 879–883 (2008)

    Google Scholar 

  39. Vroom, C., von Solms, R.: Towards information security behavioural compliance. Comput. Secur. 23(3), 191–198 (2004)

    Article  Google Scholar 

  40. Wang, J., Chaudhury, A., Rao, H.R.: A value-at-risk approach to information security investment. Inf. Syst. Res. 19(1), 106–120 (2008)

    Article  Google Scholar 

  41. Wang, S.L., Chen, J.D., Stirpe, P., Hong, T.P.: Risk-neutral evaluation of information security investment on data centers. J. Intell. Inf. Syst. 36(3), 329–345 (2011)

    Article  Google Scholar 

  42. Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q 26(2), xiii–xxiii (2002)

    Google Scholar 

  43. Whitman, M.E.: Enemy at the gate: threats to information security. Commun. ACM 46(8), 91–95 (2003)

    Article  Google Scholar 

  44. Willemson, J.: On the Gordon and Loeb model for information security investment. In: Proceedings of the 5th Workshop on the Economics of Information Security (WEIS), Cambridge (2006)

    Google Scholar 

  45. Willemson, J.: Extending the Gordon and Loeb model for information security investment. In: Proceedings of the 5th International Conference on the Availability, Reliability, and Security (ARES’10), Krakow, pp. 258–261 (2010)

    Google Scholar 

Download references

Acknowledgements

The research leading to these results was partially funded by the European Commission under the 7th Framework Programme (FP7) through the PoSecCo project (project no. 257129).

Author information

Authors and Affiliations

  1. Department of Information Systems, School of Management, University of Innsbruck, Innsbruck, Austria

    Lukas Demetz & Daniel Bachlechner

Authors
  1. Lukas Demetz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Bachlechner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lukas Demetz .

Editor information

Editors and Affiliations

  1. Westfälische Wilhelms-Universität Münster, Münster, Germany

    Rainer Böhme

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Demetz, L., Bachlechner, D. (2013). To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool. In: Böhme, R. (eds) The Economics of Information Security and Privacy. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39498-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39498-0_2

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39497-3

  • Online ISBN: 978-3-642-39498-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation