The Economics of Information Security Investment

ACM Transactions on Information and System Security

Volumn 5, Issue 4, 2002, Pages 438-457

  Gordon, Lawrence A ^a   Loeb, Martin P ^a  

^a UNIVERSITY OF MARYLAND   (United States)

Author keywords

Economics; Optimal security investment; Security

Indexed keywords

EID: 84990029315     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/581271.581274     Document Type: Article

References (35)

1. Anderson, J., 1972. Computer security technology planning study. U.S. Air Force Electronic Systems Division Tech. Rep. (Oct.), 73-151.
2. Anderson, R. 2001. Why information security is hard-An economic perspective. In Proceedings of 17th Annual Computer Security Applications Conference (ACSAC) (New Orleans, La. Dec. 10-14).
3. Axelsson, S., 2000. The base-rate fallacy and the difficulty of intrusion detection.ACM Trans. Inf. Syst. Sec. 3, 3 (Aug.), 186-205.
4. Buzzard, K., 1999. Computer security-What should you spend your money on.Comput. Sec. 18 4, 322-334.
5. Daniels, T. E., Spafford, E. H., 1999. Identification of host audit data to detect attacks on low-level IP.J. Comput. Sec. 7, 1, 3-35.
6. Denning, D., 1987. An intrusion-detection model.IEEE Trans. Softw. Eng. 13, 2 (Feb.), 222-226.
7. Denning, D., Branstad, D., 1996. A taxonomy of key escrow encryption systems.Commun. ACM. 39, 3 (Mar.), 34-40.
8. Finne, T., 1998. A conceptual framework for information security management.Comput. Sec. 17 4, 303-307.
9. Frincke, D., 2000. Balancing cooperation and risk in intrusion detection.ACM Trans. Inf. Syst. Sec. 3, 1 (Feb.), 1-29.
10. Gordon, L., Loeb, M., 2001. A framework for using information security as a response to competitor analysis systems.Commun. ACM, 44, 9 (Sept.), 70-75.
11. Hann, J., Weber, R., 1996. Information systems planning: A model and empirical tests.Manage. Sci. 42, 7 (July), 1043-1064.
12. Hoo, K., 2000. How much is enough? A risk-management approach to computer security.Consortium for Research on Information Security Policy (CRISP) Working Paper. Stanford University, Stanford, Calif., June.
13. Jajodia, S., Millen, J., 1993. Editors' preface. J. Comput. Sec. 2, 2-3, 85.
14. Jones, A., 1997. Penetration testing and system audit.Comput. Sec. 16, 595-602.
15. Littlewood, B., Broclehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., Gollman, D., 1993. Towards operational measures of security.J. Comput. Sec. 2, 2, 211-229.
16. Loch, K. D., Carr, H. H., Warkentin, M. E., 1992. Threats to information systems: Today's reality, yesterday's understanding.MIS Quart. 17, 2, 173-186.
17. Luotonen, O., 1993. Risk management and insurances.Painatuskeskus Oy. Helsinki, Finland.
18. Mcknight, L., Solomon, R., Reagle, J., Carver, D., Johnson, C., Gerovac, B., Gingold, D., 1997. Information security of internet commerce. In Internet Economics, L. McKnight and J. Bailey, Eds., MIT Press, Cambridge, Mass., pp. 435-452.
19. Meadows, C., 2001. A cost-based framework for analysis of denial of service in networks J. Comput. Sec. 9, 1-2, 143-164.
20. Millen, J., 1992. A resource allocation model for denial of service. In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., pp. 137-147.
21. Muralidhar, K., Batra, D., Kirs, P., 1995. Accessibility, security, and accuracy in statistical databases: The case for the multiplicative fixed data perturbation approach.Manage. Sci. 41, 9 (Sept.), 1549-1564.
22. NIST (NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY). 1995.An Introduction to Computer Security: The NIST Handbook. (Special Publication 800-12).
23. Osborn, S., Sandhu, R., Munawer, Q., 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies.ACM Trans. Inf. Syst. Sec. 3, 2 (May), 85-106.
24. Peyravian, M., Roginsky, A., Zunic, N., 1999. Hash-based encryption.Comput. Sec. 18, 4, 345-350.
25. Pfleeger, C., 1997.Security in Computing (2nd ed.), Prentice-Hall, Englewood Cliffs, N.J.
26. Power, R., 2001. 2001CSI/FBI computer crime and security survey.Comput. Sec. J. 17 2 (Spring), 29-51.
27. Sandhu, R. S., Bhamidipati, V., Munawer, Q., 1999. The ARBAC97 model for role-based administration of roles.ACM Trans. Inf. Syst. Sec. 1, 2 (Feb.), 105-135.
28. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., Youman, C. E., 1996. Role-based access control models.IEEE Comput. 29, 2 (Feb.), 38-47.
29. Schneier, B., 1996.Applied Cryptography (2nd ed.), Wiley. New York.
30. Simmons, G., 1994. Cryptanalysis and protocol failures.Commun. ACM. 37, 11 (Nov.), 56-64.
31. Straub, D. W., 1990. Effective IS security: An empirical study.Inf. Syst. Res. 1, 3, 255-276.
32. Straub, D. W., Welke, R. J., 1998. Coping with systems risk: Security planning models for management decision making.MIS Quart. 23, 4, 441-469.
33. Varian, H. R., 1997. How to build an economic model in your spare time. Part of a collection titled Passion and Craft: Economists at Work, ed. Michael Szenberg, University of Michigan Press.
34. Vigna, G., Kemmeerer, R. A., 1999. Net STAT: a network-based intrusion detection system. J. Comput. Sec. 7, 1, 37-71.
35. Wiseman, S., 1986. A secure capability computer system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif, pp. 86-94.