Chapter 9
The Economics of Cybersecurity
In this chapter
·
Making an economic case for security
·
Measuring and quantifying economic value
·
Modeling the economics of cybersecurity
In Chapter 8, we began to examine the kinds of security decisions
you might make about your computer, system, or network. In this chapter, we
focus on decisions involved in allocating scarce financial resources to
cybersecurity. That is, as a practitioner, you must decide in what kinds of
security controls to invest, based on need, cost, and the tradeoffs with other
investments (that may not be security related).
For example, the chief
executive officer may announce that because the company has done well, there is
a sum of money to invest for the benefit of the company. She solicits proposals
that describe not only the way in which the money can be used but also the
likely benefits to be received (and by whom) as a result. You prepare a
proposal that suggests installation of a firewall, a spam filter, an encryption
scheme to create a virtual private network, and the use of secure
identification tokens for remote network access. You describe the threats
addressed by these products and the degree (in terms of cost and company
profit) to which the proposed actions will benefit the company. The CEO
compares your proposal with other possible investments: buying a subsidiary to
enable the company to provide a new product or service, acquiring new office
space that will include a larger library and more computer labs, or simply
holding the money for a few years to generate a return that will profit the
company. The choices, and the tradeoffs among them, can be analyzed by
understanding the economics of cybersecurity.
We begin this chapter by
describing what we mean by a business case: the framework for presenting
information about why we think a particular security investment is needed. Then
we examine more closely the elements needed in the business case: data and
relationships that show that there is a problem and that the proposed solution
will be good for the company. Presenting the business case involves not just
economics but the need for consistent terminology, measurement, and a context
in which to make informed decisions. The business case is informed by our
understanding of technology but must be framed in business language and
concepts so that it can be easily compared with nonsecurity choices.
Next, we look at analyses of
the magnitude and nature of the cybersecurity problem in several countries, including
the United States, Britain, and Australia. To make a compelling business case
for security investment, we need data on the risks and costs of security
incidents. Unfortunately, as our discussion shows, reliable data are hard to
find, so we outline the kind of data collection that would help security
professionals.
Once we have good data, we
can build models and make projections. We examine several ways to model the
impact of a cybersecurity investment. Building and using a model involve
understanding key factors and relationships; we discuss examples of each.
Finally, we explore the possibilities for future research in this rich,
interdisciplinary area.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.