An economic analysis of the optimal information security investment in the case of a risk-averse firm

International Journal of Production Economics

Volumn 114, Issue 2, 2008, Pages 793-804

  Derrick Huang, C ^a   Hu, Qing ^a   Behara, Ravi S ^a  

^a FLORIDA ATLANTIC UNIVERSITY   (United States)

Author keywords

Expected utility theory; Information security; Optimal investment

Indexed keywords

DECISION THEORY; ECONOMIC ANALYSIS; FINANCE; INFORMATION SERVICES; INVESTMENTS; RISK ANALYSIS; RISKS; SECURITY OF DATA;

(SPM) CLASSES; DECISION MAKER (DM); ELSEVIER (CO); EXPECTED UTILITY THEORY (EUT); FUTURE RESEARCH DIRECTIONS; INFORMATION SECURITY; OPTIMAL INVESTMENTS; OPTIMAL LEVELS; POTENTIAL LOSS; RISK AVERSION; SECURITY BREACHES; SECURITY THREATS;

RISK ASSESSMENT;

EID: 46849085979     PISSN: 09255273     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ijpe.2008.04.002     Document Type: Article

References (39)

1. Anderson, R., 2001. Why information security is hard: An economic perspective. In: Presented at the 17th Annual Computer Security Applications Conference, West Lafayette, IN, USA
2. Bodin L.D., Gordon L.A., and Loeb M.P. Evaluating information security investments using the Analytic Hierarchy Process. Communications of the ACM 48 2 (2005) 79-83
3. Borch K.H. The Economics of Uncertainty (1968), Princeton University Press, Princeton, NJ
4. Browne S. Optimal investment policies for a firm with a random risk process: Exponential utility and minimizing the probability of ruin. Mathematics of Operations Research 20 4 (1995) 937-958
5. Cavusoglu H. Economics of IT security management. In: Camp L.J., and Lewis S. (Eds). Economics of Information Security (2004), Kluwer Academic Publishers, Boston, MA 71-83
6. Cavusoglu H., and Raghunathan S. Configuration of intrusion detection systems: A comparison of decision and game theoretic approaches. INFORMS Journal on Decision Analysis 1 3 (2004) 131-148
7. Cavusoglu H., Mishra B., and Raghunathan S. A model for evaluating IT security investments. Communications of the ACM 47 7 (2004) 87-92
8. Cavusoglu H., Mishra B., and Raghunathan S. The value of intrusion detection systems in information technology security architecture. Information Systems Research 16 1 (2005) 28-46
9. CompTIA, 2007. Information security spending on the rise, CompTIA survey reveals. CompTIA (Computing Technology Industry Association) press release, October 9.
10. Cremonini, M., Nizovtsev, D., 2006. Understanding and influencing attackers' decisions: Implications for security investment strategies. In: Presented at the Workshop on the Economics of Information Security, Cambridge, England, 26-28 June.
11. Denning D. Reflections on cyberweapons controls. Computer Security Journal 16 4 (2000) 3-53
12. Dutta A., and Mccrohan K. Management's role in information security in a cyber economy. California Management Review 45 1 (2002) 67-87
13. Farahmand F., Navathe S.B., Sharp G.P., and Enslow P.H. Evaluating damages caused by information systems security incidents. In: Camp L.J., and Lewis S. (Eds). Economics of Information Security (2004), Kluwer Academic Publishers, Boston, MA 71-83
14. Fiegenbaum A., and Thomas H. Attitudes toward risk and the risk-return paradox: Prospect theory explanations. Academy of Management Journal 32 1 (1988) 85-106
15. Fishburn P.C. Retrospective on the utility theory of von Neumann and Morgenstern. Journal of Risk and Uncertainty 2 (1989) 127-158
16. Friedman M., and Savage L. The expected utility hypothesis and the measurability of utility. Journal of Political Economy 60 (1952) 463-474
17. Geer D., Soo Hoo K., and Jaquith A. Information security: Why the future belongs to the quants. IEEE Security and Privacy 1 4 (2003) 24-32
18. Gerber H.U., and Pafumi G. Utility functions: From risk theory to finance. North American Actuarial Journal 2 3 (1998) 74-100
19. Gordon L.A., and Loeb M.P. The economics of information security investment. ACM Transactions on Information and Systems Security 5 4 (2002) 438-457
20. Gordon L.A., Loeb M.P., Lucyshyn W., and Richardson R. 2005 CSI/FBI Computer Crime and Security Survey (2005), Computer Security Institute
21. Henderson V., and Hobson D.G. Real option with constant relative risk aversion. Journal of Economic Dynamics and Control 27 (2002) 329-355
22. Hausken K. Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontier 8 (2006) 338-349
23. Jegers M. Prospect theory and the risk-return relation: Some Belgian evidence. Academy of Management Journal 34 1 (1991) 215-225
24. Kaas R., Gavaerts M., Phaene J., and Dennit M. Modern actuarial risk theory (2001), Kluwer Academic Publishers, Boston, MA
25. Kesan, J.P., Majuca, R.P., Yurcik, W.J., 2004. The economic case for cyberinsurance. Law and Economics Working Paper, University of Illinois College of Law, USA.
26. Loch K.D., Carr H.C., and Warketin M.E. Threats to information systems: Today's reality, yesterday's understanding. MIS Quarterly 16 2 (1992) 173-186
27. Lu P., Zang W., and Yu M. Incentive-based modeling and inference of attack intent, objectives, and strategies. ACM Transactions on Information and Systems Security 8 1 (2005) 78-118
28. Menoncin F. Optimal portfolio and background risk: An exact and an approximate solution. Insurance Mathematics and Economics 31 2 (2002) 249-265
29. Niederman F., Brancheau J.C., and Wetherbe J.C. Information systems management issues for the 1990s. MIS Quarterly 15 4 (1991) 475-502
30. Pratt J.W. Risk aversion in the small and in the large. Econometrica 32 1-2 (1964) 122-136
31. Purser S.A. Improving the ROI of the security management process. Computer and Security 23 (2004) 542-546
32. Schechter, S.E., 2004. Computer security strength and risk: A quantitative approach. Ph.D. Thesis, Harvard University, USA.
33. Soo Hoo, K., 2000. How much is enough? A risk-management approach to computer security. Working Paper, Consortium for Research on Information Security and Policy, Stanford University, USA.
34. Stapleton R.C., and Subrahmanyam M.G. Risk aversion and the intertemporal behavior of asset prices. The Review of Financial Studies 3 4 (1990) 677-693
35. Straub D.W. Effective IS security: An empirical study. Information Systems Research 1 3 (1990) 255-276
36. Straube D.W., and Welke R.J. Coping with systems risk: Security planning model for managerial decision making. MIS Quarterly 22 4 (1998) 441-469
37. Varian, H., 2000. System reliability and free riding. In: Proceedings of the Fifth International Conference on Electronic Commerce, pp. 305-366.
38. Whitman M.E. Enemy at the gate: Threats to information security. Communications of the ACM 46 3 (2003) 91-95
39. Wiseman R.M., and Gomez-Mejia L.R. A behavioral agency model of managerial risk taking. Academy of Management Review 23 1 (1998) 133-153