تجزیه و تحلیل اقتصادی از سرمایه گذاری امنیت اطلاعات مطلوب در مورد یک شرکت ریسک گریز

This paper presents an analysis of information security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utility theory, we find that for a risk-averse decision maker, the maximum security investment increases with, but never exceeds, the potential loss from a security breach, and there exists a minimum potential loss below which the optimal investment is zero. Our model also shows that the investment in information security does not necessarily increase with increasing level of risk aversion of the decision maker. Relationships between vulnerability and investment effectiveness and two broad classes of security breach probability functions are examined, leading to interesting insights that can be used as guidelines for managers to determine the optimal level of security investment for certain types of security threats faced by risk-averse firms. Future research directions are discussed based on the limitations and possible extensions of this study

If the theme of IT management in the 1990s can be characterized as investing for competitive advantage and strategic necessity, then that of the 2000s might be described as ensuring information and systems security. Computer worms and viruses, spyware, cyber attacks, and computer system security breaches are common occurrences and have resulted in financial losses amounting to billions of dollars worldwide (Denning, 2000). High profile attacks on firms, such as Microsoft, eBay, Yahoo, and Amazon.com, and government agencies, such as Department of Defense and Federal Bureau of Investigation, made regular headlines (Kesan et al., 2004). In a CSI/FBI survey, over 75% of the respondents report some kind of security breaches in 2005 (Gordon et al., 2005). As a result, firms, large and small, are investing heavily in information and network security technologies to reduce the likelihood of major damages caused by security problems. It is estimated that US companies spent on average $196 per employee per year on security (Geer et al., 2003); a survey of more than 1000 US corporation shows that companies spent on average 20 percent of their total technology budget in 2006 on security measures, up from 12 percent in 2004, and nearly one-half of those surveyed planned to continue to increase IT security spending (CompTIA, 2007). In the race to secure data and systems, research conducted by practitioners and academics has primarily focused on the technical and behavioral aspects of information security; rigorous analyses based on economic principles are rare. This is understandable, because information security investments usually do not generate direct monetary benefits such as higher revenues or lower costs; their main contribution is to prevent potential economic loss from happening. However, given the high cost of information security and the fact that a “completely secure organization” is an insurmountable, if not impossible, goal in today's networked economy, one critical question in determining the investment in security is, “What is the right amount of investment?” In other words, a firm needs to determine the most effective level of information security investment, based on the nature of the information sets it intends to protect, the vulnerability of its information systems, the potential loss associated with a security breach if it does occur, and the security environment that it faces. Recent academic research in the economics of information security, albeit limited, intends to address this issue. Some scholars argue that there exists an optimal level of security investment for a given security vulnerability and threat environment of each organization. Investing less than that optimal level will result in unacceptable security risks; on the other hand, investments exceeding the optimal level do not bring justifiable returns for the investment (Gordon and Loeb, 2002; Soo Hoo, 2000). In this study, we apply classical economic theories to offer new insights into the issue of determining the optimal level of information security investment. We model the decision maker of a firm as risk-averse, and adopt the expected utility theory to determine the security investment level that maximizes the utility of the investment. This theoretical approach yields results that shed lights on how a firm could manage its investment in information security based on different characteristics of threat environments and system configurations. The rest of the paper is organized as follows. In Section 2, we review the literature on the economics of information security investment and introduce the background of our research. We then establish the foundation of the security investment model based on the utility function approach and the risk-aversion assumption. In Section 3, the model is applied to derive the boundary condition of maximum level of security investment. In Section 4, the optimal security investment levels are determined using the two classes of security breach probability functions proposed by Gordon and Loeb (2002), and we discuss both the mathematical results and the practical implications of our findings. Finally, this paper concludes by pointing out the limitations of this study and future research directions and potential ways of extending and improving our model (Section 5).

This paper contributes to the emerging literature of the economics of information security investment in multiple aspects. First, it extends prior studies by modeling risk-averse decision makers and adopting the expected utility theory as the optimization principle. Also, the impact of the effectiveness of the security investments is modeled explicitly in the context of a risk-averse decision maker. In addition, the two classes of breach probability defined by Gordon and Loeb (2002) are situated within the context of security practices to provide additional insights into their characteristics and better understanding of their behaviors under different scenarios. Finally, further insights from our model come in the form of the three propositions, in which the relationship between optimal security investment and the potential loss, extent of risk aversion, and the investment effectiveness, respectively, are developed. These propositions draw our attention to the many trade-offs decision makers often face and the importance of accurate assessment of the potential loss as a result of a security breach in information security management. Our findings offer insights into information security management practices. First, our model indicates that to a risk-averse decision maker, not all information security risks are worth protecting against (Proposition 1). Specifically, until the potential loss from a security breach reaches certain level, the firm is better off not investing any money at all in protecting against such a threat. In addition, we find that optimal investment in information security does not always go up with the effectiveness of such investment (Proposition 3). These findings suggest that managers should conduct careful evaluations of the vulnerabilities of their information systems and the potential losses in case of a breach before deciding whether specific investment to address these vulnerabilities is called for. Second, the optimal level of security investments does not necessarily increase with one's aversion to risk (Proposition 2). Investing in security, just like every other investment, carries its own risk (of not working, for instance). This suggests that decision makers should carefully weigh the security risks against other types of business risks in deciding the level of investment in information security. Third, our examination of the two classes of security threats suggests that for a firm trying to defend against targeted attacks (e.g., those coming from determined hackers to break into a specific system), optimal security investment would increase with system vulnerability. However, when protecting against distributed attacks (e.g., those coming from viruses and spyware spreading over the Internet without specific targets), the firm is better off investing in security measures that protect information systems with low to moderate vulnerability. This finding suggests that a firm should identify its main information security threat before determining the investments based on system vulnerabilities. It also suggests that, when the main security risk is of distributed nature, the firm may be better off reducing the exposure to attacks by reconfiguring its information systems (which may involve reorientation of its business processes and practices) than trying to fend off attacks. As with all research, this study is not without limitations. First, many of our assumptions—such as continuous, twice differentiable, and bounded—for the functions and parameters used in the base model are customary in economic studies but still represent an ideal case for mathematical manipulation. Likewise, although our propositions and figures are correct within the boundary conditions specified, not all extreme conditions are tested. The formulations that we employed for the utility functions and the security breach probability functions, though plausible and widely adopted, only represent an approximation to the real-world processes. Some simplifying assumptions in our model may also limit its practical applicability. For instance, our assumption of constant risk aversion does not take into account the variation of firm's risk profile with its performance or wealth changes, given the prior research that shows that the decision makers of firms whose performance exceeds certain level (say industry average) tend to become risk-averse (Fiegenbaum and Thomas, 1988; Jegers, 1991). Following Gordon and Loeb (2002), we model a single-event, single-period security breach with a fixed potential loss. In reality, security events are almost always multi-period with a variety of breaches, and the potential loss can be hard to determine. Similarly, we adopt their original model assumption that the effect of security investment is solely reflected in the reduction of the breach probability. Therefore, interactions between, say, security investment and the potential loss or the behavior of potential hackers are not considered in our model. Finally, our treatment of risk aversion is based on the assumption that the decision maker of a firm shares the same risk profile with its owner(s) in making investment decisions. Such an assumption needs to be modified in cases where the interest and the decision-making process of the managers (i.e., the decision makers) in a firm may not be completely aligned with its shareholders (i.e., owners). Our study points to several future directions for research. The first stream would develop further extensions to the current model by relaxing some of the boundary conditions. For instance, it would be interesting to go beyond the treatment of one security breach function at a time. Firms face many types of security threats simultaneously, and a model that considers, say, both random and targeted attacks simultaneously would likely shed light on how a firm best allocates investment resources to achieve maximum attainable security. Another extension could be an investigation into how the security investment of a firm influences the behavior of the potential hackers, and vice versa, over time. It would also be interesting to investigate other types of security breach functions, such as that describing an internal security breach, as it is often a major source of security threat that all firms face (Gordon et al., 2005; Whitman, 2003). Yet another extension is to generalize the treatment of risk aversion in a firm's decision-making process. The adoption of an agency-theoretic approach can extend the current study beyond the assumption of congruent risk profiles of decision makers and owners, which often limits the application to smaller-sized firms. Additionally, a dynamic coefficient α can address the potentially different levels of risk aversion when a firm's performance or fortune changes. Some managerial implications highlighted by our model are worth further investigations. For instance, in the face of ever-increasing threats, the rate of increase of the maximum investment of a risk-averse decision makers decreases, implying the limited usefulness of increased investment at the same pace in the face of ever-increasing threat probabilities. The point of the shift of resources away from threat prevention, the focus of security investment, to recovery operations and loss reduction, the focus of security insurance, would be an important issue to investigate. This and other managerial implications can best be examined with an empirical-based approach, such as case studies, as a future extension to this study.