Decision Making for Information Security Investments

Abstract

Enterprises must manage their information risk as part of their larger operational risk management program. Traditionally, IT security investment decisions are made in isolation. However, as firms that compete for customers in an industry are closely interlinked, a macro perspective is needed in analyzing these decisions. Using the notions of direct- and cross-risk elasticity to describe the customer response to adverse IT security events in the firm and competitor, respectively, we analyze optimal security investment decisions. The continuous-time Markov chain (CTMC) is a natural way to examine how the combination of the expected adverse event arrival rate and the expected duration of customer reactions to these adverse events impacts security spending and expected profits, given different types of customer reaction. Expanding this work, customer utility is modelled using a Hotelling setting in order to examine how the introduction of minimum security spending requirements affect total social welfare. Optimal IT security spending, expected firm profits, total social welfare, and the willingness of firms to cooperate on security improvements are highly dependent on the nature of customer response to adverse events. Once firms have made a decision regarding their security investment level, managers must consider how to implement information security controls. The effectiveness of three different control placement methods is examined by defining a flow risk reduction problem and presenting a formal model using a workflow framework. One year of simulated attacks is used to validate the quality of the solutions, finding that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment measures compared to heuristics that would typically be used by managers to solve the problem. By using a workflow approach to control placement, guiding the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. The contribution of this body of work is to provide managers with methods for deciding on the level and selection of information security investments, obtaining significantly better returns on these security investments.