Cybersecurity economic issues: Clearing the path to good practice

IEEE Software

Volumn 25, Issue 1, 2008, Pages 35-42

  Pfleeger, Shari Lawrence ^a   Rue, Rachel ^a  

^a RAND CORPORATION   (United States)

Author keywords

Cybersecurity; Economics; Models

Indexed keywords

DATA STRUCTURES; ECONOMIC ANALYSIS; SECURITY OF DATA;

CYBERSECURITY INVESTMENT; CYBERSECURITY PROTECTION; ECONOMIC MODEL;

SOFTWARE ENGINEERING;

EID: 39449096290     PISSN: 07407459     EISSN: None     Source Type: Journal    
DOI: 10.1109/MS.2008.4     Document Type: Article

References (32)

1. M.E. Johnson and E. Goetz, "Embedding Information Security Into the Organization," IEEE Security and Privacy, vol. 5, no. 3, 2007, pp. 16-24.
2. S.L. Pfleeger, M. Libicki, and M. Webber, "I'll Buy That! Cybersecurity in the Internet Marketplace," IEEE Security and Privacy, vol. 5, no. 3, 2007, pp. 25-31.
3. R. Anderson, "Why Information Security Is Hard - An Economic Perspective," Proc. 17th Ann. Computer Security Applications Conf. Assoc. for Economic Service, 2001, pp. 358-365.
4. A. Arora, J.P. Caulkins, and R. Telang, "Sell First, Fix Later: Impact of Patching on Software Quality," Oct. 2004, http://ssrn.com/ abstract=670285.
5. D. Nizovtsev and M. Thursby, "Economic Analysis of Incentives to Disclose Software Vulnerabilities," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf/20.pdf.
6. K. Campbell et al., "The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market," J. Computer Security, Mar. 2003, pp. 431-448.
7. R. Telang and S. Wattal, "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors: An Empirical Investigation," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf/ telang_wattal.pdf.
8. A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf/10.pdf.
9. E. Rescorla, "Is Finding Security Holes a Good Idea?" paper presented at 3rd Ann. Workshop Economics of Information Security (WEIS 04), 2004, www.dtc.umn.edu/weis2004/rescorla.pdf.
10. B. Schneier, "Full Disclosure and the Window of Exposure," Crypto-gram Newsletter, 15 Sept. 2000, www.schneier.com/ crypto-gram-0009.html.
11. L.A. Gordon, M.P. Loeb, and W. Lucyshyn, "Sharing Information on Computer Systems: An Economic Analysis," J. Accounting and Public Policy, vol. 22, no. 6, 2003, pp. 461-485.
12. E. Gal-Or and A. Ghose, "The Economic Incentives for Sharing Security Information," Information Systems Research, vol. 16, no. 2, 2005, pp. 186-208.
13. R. Anderson, "Unsettling Parallels between Security and the Environment," paper presented at the Workshop Economics of Information Security (WEIS), 2002, www2.sims.berkeley.edu/resources/affiliates/ workshops/econsecurity/econws/37.txt.
14. S. Schechter, "Computer Security Strength and Risk: A Quantitative Approach," doctoral dissertation, Division of Eng. and Applied Science, Harvard Univ., 2004.
15. A. Ozment, "Bug Auctions: Vulnerability Markets Reconsidered," paper presented at 3rd Ann. Workshop Economics of Information Security (WEIS 04), 2004, www.dtc.umn.edu/weis2004/ozment.pdf.
16. K. Kannan and R. Telang, "Market for Software Vulnerabilities? Think Again," Management Science, vol. 51, no. 5, 2005, pp. 726-740.
17. A. Shostack, "Avoiding Liability: An Alternative Route to More Secure Products," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf/ 44.pdf.
18. J. Kesan, R. Majuca, and W. Yurcik, "CyberInsurance as a Market-Based Solution to the Problem of Cybersecurity - A Case Study," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, http://infosecon.net/workshop/pdf/42.pdf.
19. W.S. Baer and A. Parkinson, "Cyberinsurance in IT Security Management," IEEE Security and Privacy, vol. 5, no. 3, 2007, pp. 50-56.
20. L. Gordon and M. Loeb, "Return on Information Security Investments: Myths versus Realities," Strategic Finance, vol. 84, no. 5, 2002, pp. 26-31.
21. H. Cavusoglu, B. Mishra, and S. Raghunathan, "The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers," Int'l J. Electronic Commerce, vol. 9, no. 1, 2004, p. 70-104.
22. F. Farahmand et al., "A Management Perspective on Risk of Security Threats to Information Systems," Information Technology and Management, vol. 6, nos. 2-3, 2005, pp. 203-225.
23. S. Schechter, "Quantitatively Differentiating System Security," paper presented at 1st Workshop Economics of Information Security, 2002, www2.sims.berkeley.edu/resources/affiliates/workshops/ econsecurity/econws/31.pdf.
24. M. Cremonini and P. Martini, "Evaluating Information Security Investments from Attackers Perspective: The Return-on-Attack," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005; www.infosecon.net/workshop/pdf/23.pdf.
25. L. Gordon, M. Loeb, and S. Tashfeen, "A Framework for Using Insurance for Cyber-Risk Management," Comm. ACM, vol. 46, no. 3, 2003, pp. 81-85.
26. L. Gordon and M. Loeb, "Evaluating Information Security Investments Using the Analytical Hierarchy Process," Comm. ACM, vol. 48, no. 2, 2005, pp. 78-83.
27. L. Gordon and M. Loeb, Managing Cybersecurity Resources, McGraw-Hill, 2005.
28. J. Conrad, "Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, http://infosecon.net/ workshop/pdf/13.pdf.
29. K. Soo Hoo, "How Much Is Enough? A Risk-Management Approach to Computer Security," Consortium for Research on Information Security and Policy, Stanford Univ., 2000, http://iis-dbstanford.edu/pubs/11900/ soohoo.pdf.
30. F. Farahmand et al., "Assessing Damages of Information Security Incidents and Selecting Control Measures: A Case Study Approach," paper presented at 4th Ann. Workshop Economics of Information Security (WEIS 05), 2005, www.infosecon.net/workshop/pdf/39.pdf.
31. H. Cavusoglu, B. Mishra, and S. Raghunathan, "A Model for Evaluating: IT Security Investments," Comm. ACM, vol. 47, no. 7, 2004, pp. 87-92.
32. R. Rue, S.L. Pfleeger, and D. Ortiz, "A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision Making," paper presented at 2007 Workshop Economics of Information Security (WEIS 07), 2007, http://weis07.infosecon.net/ papers/76.pdf.