Abstract
Increasing reliance on IT and the worsening threat environment mean that organisations are under pressure to invest more in information security. A challenge is that the choices are hard: money is tight, objectives are not clear, and there are many relevant experts and stakeholders. A significant proportion of the research in security economics is about helping people and organisations make better security investment and policy decisions.This paper looks at the impact of methods based on security economics on a set of decision makers. Importantly, the study focused upon experienced security professionals using a realistic security problem relating to client infrastructure. Results indicated that the methods changed the decision processes for these experienced security professionals. Specifically, a broader range of factors were accounted for and included as justifications for the decisions selected. The security professional is an (important and influential) stakeholder in the organization decision making process, and arguably a more complete understanding of the problem is more suitable for persuading a broader business audience.More generally the study complements all research in security economics that is aimed at improving decision making, and suggests ways to proceed and test for the impact of new methods on the actual decision makers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anderson R, Moore T (2006) The economics of information security. Science 314:610–613
Anderson R (2001) Why information security is hard: an economic perspective. In: Proceedings of 17th annual computer security applications conference (ACSAC)
Beautement A, Coles R, Griffin J, Ioannidis C, Monahan B, Pym D, Sasse A, Wonham M (2009) Modelling the human and technological costs and benefits of USB memory stick security. In: Managing information risk and the economics of security. Springer
Baldwin A, Mont M (2009) Simon Shiu - using modelling and simulation for policy decision support in identity management. In: IEEE 10th symposium on policies for distributed systems and networks, ieee policy 2009 symposium, 20–22 July. London
Beres Y, Griffin J, Shiu S, Heitman M, Markle D, Ventura P (2008) Analysing the performance of security solutions to reduce vulnerability exposure windows, in annual computer security applications conference (ACSAC) CA IEEE. pp 33–42
Beres Y, Pym D, Shiu S (2010) Decision support for systems security investment. In: Network Operations and Management Symposium Workshops (IEEE/IFIP, NOMS Wksps
Beautement A, Sasse A, Wonham M (2008) The compliance budget: managing security behaviour in organisations. In: New Security Paradigms Workshop (NSPW) 2008, Plumpjack Squaw Valley Inn, Olympic, California, USA, pp 22–25
Casassa Mont M, Beres Y, Pym D and Shiu S (2010) Economics of identity and access management: providing decision support for investments. In: Network Operations and Management Symposium Workshops (IEEE/IFIP, NOMS Wksps
Collinson M, Monahan B, D Pym (2009) A logical and computational theory of located resources. J Logic Comput (in press) DOI: 10.1093/logcom/exp021
Collinson M, Monahan B, Pym D Semantics for structured systems modelling and simulation. In: Proceedings of simutools 2010, ACM digital library and EU digital library
Ericsson KA, Lehmann AC (1996) Expert and exceptional performance: Evidence of maximal adaptation to task constraints. Ann Rev Psychol 47:273–305
Elstein AS, Shulman LS, Sprafka SA (1978) Medical problem solving: an analysis of clinical reasoning. MA: Harvard University Press, Cambridge
Festinger L (1957) A theory of cognitive dissonance. Stanford University Press, Stanford, CA
French S, Maule J, N Papamichail (2009) Decision behavior, analysis and support. Cambridge University Press
Gigerenzer G, Goldstein D (1996) Reasoning the fast and frugal way: Models of bounded rationality. Psychol Rev 103:650–669
Gordon LA, Loeb MP (2006) Managing cybersecurity resources: a cost-benefit analysis. McGraw Hill
Goetzmann WM, Peles N (1997) Cognitive dissonance and mutual fund investors. J Financ Res 2:145–158
Ioannidis C, Pym D, Williams J (2009) Investments and Trade-offs in the Economics of Information Security. In: Proceedings of financial cryptography and data security 2009, LNCS 5628. Springer, pp 148–162
ISO 27000 series of standards for information security and security management. see http://www.27000.org/
Kahneman D (2003) A perspective on judgment and choice: Mapping bounded rationality. Amer Psychol 58:697–720
Keeney RL, Raiffa H (1976) Decisions with multiple objectives: preferences and value tradeoffs. Wiley, New York. Reprinted, Cambridge Univ. Press, New York (1993)
Lipshitz R, Klein G, Orasanu J, Salas E (2001) Taking stock of naturalistic decision making. J Beh Dec Mak 14:331–352
Nickerson RS (1998) Confirmation bias: a ubiquitous phenomenon in many guises. Rev General Psychol 2:175–220
Nisbett RE, Wilson TD (1977) Telling more than we can know: verbal reports on mental processes. Psychol Rev 84:231–259
Parkin S, van Moorsel A, Inglesant P, Sasse A (2010) A stealth approach to usable security: helping it security managers to identify workable security solutions. In: The proceedings of the new security paradigms workshop (NSPW) 2010. Concord, MA, USA
Payne JW (1976) Task complexity and contingent processing in decision making: an information search and protocol analysis. Org Behav Human Perform 16:366–387
Payne JW, Bettman JR, Johnson EJ (1993) The adaptive decision maker. Cambridge University Press, New York
Payne SJ, Howes A, Reader WR (2001) Adaptively distributing cognition: a decision-making perspective on human-computer interaction. Behav Inform Technol 20(5): 339–346
Russo JE, Medvec VH, Meloy MG (1996) The distortion of information during decisions. Org Behav Human Dec Processes 66:102–110
Schneier B (2008) Security ROI, in Schneier on security blog. 2 Sept see http://www.schneier.com/blog/archives/2008/09/security_roi{\_}1.html
Salkovskis PM (2003) Empirically grounded clinical interventions: cognitive-behavioural therapy progresses through a multi-dimensional approach to clinical science. Behav Cognitive Psychother 30:3–9
Schulz-Hardt S, Frey D, Luthgrens C, Moscovici S (2000) Biased information search in group decision making. JPers Soc Psychol 78:655–669
UK Government technology strategy board (TSB) funded collaborative research project. see http://www.trust-economics.org/
Tuchman BW (1984) The march of folly: from Troy to Vietnam. Ballantine Books, New York
Wason PC (1966) Reasoning. In: Foss B (ed) New horizons in psychology. Penguin, Harmonsworth, Middlesex, England, pp. 135–151
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix 1: System Architecture of the Preference Elicitation Tool
The figure below provides a high-level view of the system architecture behind this tool. It is based on an engine that executes preference elicication workflows. Each step in the workflow can be configured in terms of the information that will be requested to the user and its graphical representation. The tool stores the gathered information into a centralised database, allowing for further post-processing and data mining.
Appendix 2: Summary of Data Analysis
Appendix 3: Example/Illustration Question and Justifications
Appendix 4: Preferences Expressed by the Intervention Group in Phase 5a
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Baldwin, A. et al. (2013). Economic Methods and Decision Making by Security Professionals. In: Schneier, B. (eds) Economics of Information Security and Privacy III. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1981-5_10
Download citation
DOI: https://doi.org/10.1007/978-1-4614-1981-5_10
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-1980-8
Online ISBN: 978-1-4614-1981-5
eBook Packages: Computer ScienceComputer Science (R0)