Abstract:
Cybersecurity has become a key factor determining the success of business operations who relies on the functioning of information systems. Hence, the effecient investment...Show MoreMetadata
Abstract:
Cybersecurity has become a key factor determining the success of business operations who relies on the functioning of information systems. Hence, the effecient investment on cybersecurity is an important financial and operaional decision. We propose a modeling framework that incorporates major components relevant to cybersecurity practice, and study the characteristics of optimal cybersecurity investment decisions for a firm, as well as how they vary under different risk approaches. A data-based analysis for major industries is performed, where we map the maximum potential loss of a firm with the optimal cybersecurity budget size and discover that the optimal budget size is independent of the mix of assets that a firm holds. In addition, we also conclude that firms in finance, energy, and technology sectors should invest more in detective technologies than preventive, as oppose to even split in most other industries. Moreover, the overall cybersecurity budgets for the former set of industries should be higher when compared with others.
Published in: 2015 International Conference on Industrial Engineering and Operations Management (IEOM)
Date of Conference: 03-05 March 2015
Date Added to IEEE Xplore: 27 April 2015
ISBN Information:
References is not available for this document.
Select All
1.
L. Ponemon, "Cost of data breach study: United States," Ponemon Institute, Traverse City, MI, Tech. Rep., 2011.
2.
R. Kahn, M. McConnell, J. Nye et al., "Americas cyber future," Center for a New American Security, Washington, DC, Tech. Rep., 2011.
3.
J. Lewis, "Net losses: estimating the global cost of cybercrime," McAfee, Inc., Santa Clara, CA, Tech. Rep., 2014.
4.
S. Peters, "CSI computer crime and security survey," Computer Security Institute, New York City, NY, Tech. Rep., 2009.
5.
R. Richardson, "CSI computer crime and security survey," Computer Security Institute, New York City, NY, Tech. Rep., 2010.
6.
W. Baker, "Data breach investigations supplemental report," Verizon Inc., New York City, NY, Tech. Rep., 2009.
7.
L. Gordon and M. Loeb, "The economics of information security investment," ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457, 2002.
8.
C. Huang, Q. Hu, and R. Behara, "An economic analysis of the optimal information security investment in the case of a risk-averse firm," International Journal of Production Economics, vol. 114, no. 2, pp. 793-804, 2008.
9.
Y. Baryshnikov, "IT security investment and Gordon-Loebs 1/e rule." in Proceedings of the Workshop on the Economics of Information Security, Berlin, Germany, 2012.
10.
K. Hoo, "How much is enough? A risk management approach to computer security," Ph.D. dissertation, Stanford University, 2000.
11.
L. Rees, J. Deane, T. Rakes, and W. Baker, "Decision support for cybersecurity risk planning," Decision Support Systems, vol. 51, no. 3, pp. 493-505, 2011.
12.
T. Sawik, "Selection of optimal countermeasure portfolio in IT security planning," Decision Support Systems, vol. 55, no. 1, pp. 156-164, 2013.
13.
D. Herson, P. Davis, Y. Klein, U. Essen, and H. Tabuchi, "Generally accepted information security principles," National Institute of Standards and Technology, Reston, VA, Tech. Rep., 2003.
14.
Verizon, "DBIR industry snapshot: Healthcare," Verizon, Inc., New York City, NY, Tech. Rep., 2012.
15.
DBIR industry snapshot: Retail trade," Verizon, Inc., New York City, NY, Tech. Rep., 2012.
16.
DBIR industry snapshot: Accomodation and food service," Verizon, Inc., New York City, NY, Tech. Rep., 2012.
17.
DBIR industry snapshot: Financial and insurance," Verizon, Inc., New York City, NY, Tech. Rep., 2012.
18.
Data breach investigation report: Energy and utilities," Verizon, Inc., New York City, NY, Tech. Rep., 2014.
19.
Data breach investigation report: Information technology," Verizon, Inc., New York City, NY, Tech. Rep., 2014.
20.
Data breach investigation report: Manufacturing," Verizon, Inc., New York City, NY, Tech. Rep., 2014.
21.
Data breach investigation report: Professional services," Verizon, Inc., New York City, NY, Tech. Rep., 2014.
22.
Data breach investigation report: Public sector," Verizon, Inc., New York City, NY, Tech. Rep., 2014.
23.
Data breach investigation report: Transportation," Verizon, Inc., New York City, NY, Tech. Rep., 2014.
24.
L. Gordon and M. Loeb, Managing cybersecurity resources: A costbenefit analysis. New York City, NY: McGraw-Hill, 2005.
25.
E. Rogers, Diffusion of innovations. New York City, NY: Simon and Schuster, 2010.
26.
S. Lipner, "The trustworthy computing security development lifecycle," in Proceedings of the Computer Security Applications Conference, Tucson, AZ, 2004.
27.
J. Oberheide, E. Cooke, and F. Jahanian, "CloudAV: N-Version antivirus in the network cloud." in Proceedings of the USENIX Security Symposium, San Jose, CA, 2008.
28.
McAfee. (2013) McAfee product support lifecycle. http://www.mcafee.com/us/support/support-eol-software-utilities.aspx# swu ebus server. Retrieved January 6, 2013.
29.
Symantec. (2014) Symantec corporation enterprise support. http://www. symantec.com/business/support/index?page=releasedetails=54619. Retrieved December 18, 2012.
30.
S. Solak, J.-P. Clarke, E. Johnson, and E. Barnes, "Optimization of r project portfolios under endogenous uncertainty," European Journal of Operational Research, vol. 207, no. 1, pp. 420-433, 2010.
