Académique Documents
Professionnel Documents
Culture Documents
available at www.sciencedirect.com
Article history: Security decisions are made at every level of an organization and from diverse perspec-
Received 6 September 2006 tives. At the tactical and operational levels of an organization, decision making focuses
Received in revised form on the optimization of security resources, that is, an integrated combination of plans, per-
19 January 2007 sonnel, procedures, guidelines and technology that minimize damages and losses. While
Accepted 12 March 2008 these actions and tactics reduce the frequency and/or consequences of security breaches,
they are bounded by the organization’s global security budget. At the strategic, enterprise
level management must answer the question, ‘‘What is the security budget (cost expendi-
Keywords: tures), where each dollar spent on security must be weighed against alternative non-
Security costs and benefits security expenditures, that is justified by the foregone (prevented) losses and damages?’’
Enterprise security requirements The answer to that question depends on the tolerances of decision makers for risk and
Information security the information employed to reach it.
Best practices ª 2008 Elsevier Ltd. All rights reserved.
Models of risk management
* Corresponding author. Mays Business School, Texas A&M University, 322 Wehner Building, College Station, TX 77843-4217, USA.
E-mail address: eanderson@mays.tamu.edu (E.E. Anderson).
0167-4048/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2008.03.002
computers & security 27 (2008) 22–29 23
imperfect against the growth, intelligence and virulence of tradeoffs and depends on the costs and rewards for accepting
emerging threats. risk (Walwyn et al., 2002).
In the late 1960s the U.S. Department of Defense recognized The management of information security occurs at many
the risks associated with using information systems for criti- levels within an organization (Tsiakis and Stephanides,
cal tasks. In response, the Advanced Research Projects Agency 2005). The authors assume, at technical and operational
(ARPA) formed a taskforce to study the risks introduced by the levels, that security budgets have been optimized (Cavusoglu
widespread use of resource-sharing information systems and et al., 2004; Gordon and Loeb, 2006; Hamill et al., 2005). That
to make recommendations to improve their security (Ware, is, expenditures for enterprise security have been distributed
1970). The National Bureau of Standards, which subsequently over tools, policies, technology, procedures and personnel so
became the National Institute of Standards and Technology as to achieve the highest level of asset protection (Eloff and
(NIST), codified many of the strategies identified in the ARPA von Solms, 2000). However, at the strategic level, management
studies and published the first U.S. government guidelines has a different perspective and must answer the following
for computer security risk management (Farquhar, 1991; question: ‘‘What is the optimal enterprise-wide security bud-
NBS, 1974). Since that time, NIST’s Computer Security get that minimizes aggregate losses/damages due to attacks
Resource Center (CSRC) has become a valuable repository for plus the dollar costs (security budget) for the acquisition and
U.S. government guidelines on information system security deployment of detection, prevention and recovery re-
and risk management (Hoffman, 1989; NIST, 2006). Numerous sources?’’ The answer to this question establishes the budget-
other private and public sector organizations, domestic and ary boundaries for building a security capability and for
international, have contributed guidelines, frameworks, and acceptable dollar losses, given the risk tolerances of decision
methodologies to assist management to understand risks makers. It involves modeling the costs of achieving various
and find acceptable levels thereof (Hoffman, 1989; Soo Hoo, levels of best practice implementation in the presence of un-
2000). These efforts have contributed enormously to aware- certain losses and establishes the optimal enterprise security
ness, the identification of threats and potential attack trees, budget using various decision criteria. The strategic manage-
specification of security requirements and to a very extensive ment of security focuses on the competing demands for enter-
knowledge base of technical and operational solutions that prise resources and their opportunity costs, and seeks to
have formed what the authors will collectively refer to as identify security benefits that justify related costs. If there
‘‘best practices.’’ were no threats, security resources would not exist, costs
While these recommendations, tools and methods are in- would be lower, profits higher, and entities would have higher
valuable to the deployment and operationalization of security equity values.
resources, they have several important limitations. First, they Every enterprise, based on its requirements, has a wide
tend to focus on the incident(s), its characterization, and the range of security solutions (Gerber and von Solms, 2001).
threat-vulnerability combinations that can lead to potential That is, there exist integrated combinations of policies, proce-
losses. That is, they operationalize security tools and methods dures, guidelines, personnel and technologies, appropriately
at the asset level to detect and/or prevent potential damages tiered, configured and customized. In this paper, they will be
(Cavusoglu et al., 2005). The tradeoffs considered are between collectively referred to as best practices. The components of
solutions and not between expenditures and resources best practices and the resources required for implementation
devoted to information security versus other alternative ap- are identifiable and can be operationalized. Organizations de-
plications. Second, they do not provide an ‘‘enterprise-wide’’ fine/choose a best practice (subset) appropriate to their needs
perspective that aggregates horizontally and vertically across from the set of all possible best practices, but implement it
threats, vulnerabilities, protected assets and organizational with varying degrees of completeness, functionality and ro-
impacts (Anderson, 2001; Woodlock and Ross, 2001). At the bustness (Cavusoglu et al., 2004). If, for example, an organiza-
strategic level of an organization, the benefits of information tion chooses from the set of best practices a best practice that
security, that is, reduced damages and losses must be bal- includes an awareness program, the degree of implementa-
anced against security costs (Sklovos and Souros, 2006). Ex- tion may vary enormously across the employees included,
penditures for security that exceed this balance may further delivery media, content, repetition, and examination or certi-
reduce expected losses, but may be excessive given their fication requirement. In this paper, the degree of implementa-
opportunity costs (Gordon and Loeb, 2006). Third, existing tion is defined as a percent, 0 li 100; i ¼ 0; 1; .; n, of the
security guidelines, prescriptions and best practices take an maximum achievable against known standards, protocols
operational view of risks (Blakley et al., 2001). They quantify and benchmarks. It is assumed that higher levels of imple-
the likelihood of attacks and argue that plans, programs and mentation are increasingly difficult to achieve, resource inten-
actions that reduce the frequency and/or seriousness of inci- sive and time consuming. The costs of implementation per
dents thereby reduce risks (Gehani, 2004; Peltier, 2004). They period c(li) include all detectors and preventors contained
tend to imply that risk is a universal, absolute construct, within a best practice and its implementations. Since higher
rather than a value judgment unique to contexts and decision levels of li are increasingly difficult to achieve, it is assumed
makers. Indeed, at a strategic level risk taking involves that their costs increase monotonically at an increasing rate.
24 computers & security 27 (2008) 22–29
It is assumed that these costs are equivalent to the enterprise is E½[ðln Þ > 0 (Tsiakis and Stephanides, 2005). Organizations
security budget, that is, all approved expenditures are with fewer (more) threats and/or vulnerabilities, fewer
incurred. (more) commercial dependencies on the public web, and
Attacks can take many different forms, derive from numer- a more (less) stable, trained workforce would be expected to
ous sources, and have widely varying outcomes. Potential have lower (higher) expected losses at ln . Furthermore, there
losses 0 [ðli Þi ; j ¼ 0; 1; .; m may derive from damage(s) to is a family of expected loss graphs, one for each possible
computers, operating systems, network technologies, stored best practice.
data and/or applications and require diagnosis, repair, re- The uncertainty of losses can be seen at l1 , where [ðl1 Þ0
placement and re-deployment. Additionally, losses may result and [ðl1 Þ1 are potential losses occurring with probabilities
from interruptions to the real-time availability of data ex- pr ð[ðl1 Þ0 Þ and pr ð[ðl1 Þ1 Þ and have an expected value E½[ðl1 Þ.
change and transaction processing services that affect com- Larger and smaller losses than [ðl1 Þ0 and [ðl1 Þ1 , respectively,
mercial activity. Finally, losses may derive from the loss of are less likely to occur. Probable losses for any li are defined
trust and confidence in an organization’s ability to meet the as Lðli Þj and are the potential losses weighted by their proba-
expectations of users and/or to protect their identity and pri- bilities of occurrence, that is, pr ð[ðli Þj Þ[ðli Þj .
vacy (Cavusoglu et al., 2004). The latter can cause shrinking Embedded in potential and expected losses are aggregated
sales, loss of suppliers and legal penalties. It is assumed that damages to information assets, the costs of repair and restora-
potential losses are unimodal, symmetrically distributed tion, as well as the negative impacts on commercial activity
around their expected values E½[ðli Þ and that expected losses and equity valuation. Expected losses decrease, but at a de-
decrease at a decreasing rate with higher levels of best creasing rate, as the percent of best practice implemented in-
practice implemented. The probability of potential losses is creases because the most productive solutions are deployed
defined as 0 pr ð[ðli Þj Þ 1 and sum to one for all j. first and greater li are less and less productive. It is possible
Fig. 1 presents the graphs of per period expected losses and that expected losses will reach their minimum before ln im-
security cost. Underlying factors affecting each would, of plying that further spending for security is without benefit(s).
course, change their slopes and cause them to shift up or That is, there may exist a segment of the expected losses
down. For any level (percent) of best practice implemented, graph that is flat (horizontal) at its minimum.
potential losses [ðli Þj 0 may vary substantially. For purposes In general, the costs of best practice implementations will
of this paper, it is unnecessary to give form to the density not increase proportionately with li, but rather will increase at
function of losses. In practice a gamma or exponential distri- an increasing rate. Hence, the incremental costs of improving
bution might be appropriate, recognizing that losses cannot be best practices from 90 to 100% will be substantially higher
negative and that very large losses have a positive, though than from 10 to 20%. The graph of security costs would shift
perhaps very small probability. It is assumed that organiza- to the left (steeper) or to the right (flatter) depending on the
tions deploy the most productive security solutions first, and prices paid for resources employed in the implementations,
as li increases, they will add capabilities that continue to re- the complexities of their integrations, and the length of their
duce losses but are less and less effective per dollar expended. life cycles.
Expected losses at l0 ¼ 0, where there is no funding for secu-
rity, E½[ðl0 Þ are maximum and decrease at a decreasing rate
as li increases. It should be noted that a very robust, compre- 4. Enterprise strategy: costs and benefits
hensive implementation of each best practice contained
within the set of all best practices, e.g. ln , is imperfect, that The attitudes and tolerances for risks vary substantially from
context to context for an individual decision maker and from
person to person in the same context and under the same
degree of uncertainty (Finne, 2000; Gollier and Pratt, 1996;
0 Tversky and Kahneman, 1986). They also can vary with the ab-
Security Costs and Losses: c(λi) and (λi)
and average to zero. Furthermore, risk neutral decision losses of security, Mc(l1) and ME[[(li)], respectively. They rep-
makers will regard expected losses and security costs as resent the incremental changes in each variable associated
purely compensatory. That is, dollar for dollar reductions in with increases or decreases in li. Without explicitly defining
either is equally desirable. Preventing a dollar of losses is the functions c and E, by assumption and observation, one
not preferred, per se, to a dollar reduction in security costs. would expect marginal costs (marginal expected losses) to in-
Commencing at the origin l0 , an improvement in best prac- crease (decrease) with increases in li. However, neither would
tice to l1 will increase the costs of security to cðl1 Þ, but will necessarily increase (decrease) linearly.
yield benefits equal to the decrease in expected losses, In Fig. 2b, the optimum strategy is shown using marginal
E½[ðl0 ÞE½[ðl1 Þ. Since expected losses are reduced by more analyses. Since the marginal expected losses are negative,
than the increase in security costs, the aggregate value of los- the authors have taken its absolute value. The optimum li
ses plus security costs is reduced and the firm has financial in- occurs at l* where there is an intersection of Mc(li) and
centives to continue to increase li . Continued improvements jME½[ðli Þj. Best practice implementations to the left of l* yield
in best practices to l* increase security costs by an amount marginal benefits for security that exceed its marginal costs
(c(l*) c(l1)) which is equal to the decrease in expected losses and, therefore, encourage organizations to increase their
ðE½[ðl1 ÞE½[ðl ÞÞ. If there is no maximum unacceptable security capabilities. The converse is true for l* < li.
expected or probable losses, l* is preferred to l1 since each in-
cremental dollar spent on improving best practices yields
a return of more than one dollar in foregone, prevented losses. Enterprise Strategic Security: Risk Neutral Decision Rule
The firm is willing to spend more and more on security as long
as each dollar spent produces a benefit, that is, reduced If there is no maximum unacceptable expected or
expected losses, that is at least as large. In Fig. 2a, this occurs probable losses and decision makers are risk neutral,
where the slope of the graph of security costs is equal to abso- the optimal security budget and best practice implemen-
lute value of the slope of the expected losses graph. tation occurs where the marginal (incremental) costs of
From the functions of c(li) and E[[(li)] and their derivatives, best practice Mc( li) is equal to the absolute value of mar-
one may define the marginal costs and marginal expected ginal (incremental) expected losses jME[[(li)]j.
Marginal Costs and Marginal Expected Losses
$
a b
Security Costs and Losses: c(λi) and (λi)
)i
(absolute value)
(
ts:c
os
yc
rit
cu
Se
Exp
ecte
d lo
sses
: E[
( )
i ]
i 0
Percent of Best Practice Implemented: λi Percent of Best Practice Implemented: λi
Aggregate Security Costs plus Expected Losses
$
c
1 ∗ 2 3 i
Fig. 2 – (a) Optimal strategy under risk neutrality: li [ l*, (b) optimal strategy: marginal costs and marginal expected losses,
and (c) optimal strategy: aggregate charges against revenue.
26 computers & security 27 (2008) 22–29
Instruments in charting research directions in this area. Management, J. of Database Management, J. of Management Infor-
Dr. Choobineh’s research areas include information systems mation Systems, Omega, and The Database for Advances in Infor-
security, data modeling, electronic commerce, integration of mation Systems. Since 1986, Dr. Choobineh has successfully
data and mathematical models, and creation of intelligent delivered results on research and educational grants that
systems to solve organizational problems. He has written were funded by firms such as CISCO Systems, EDS, HP, and
more than fifty (50) articles that have appeared in conference Texas Instruments. He has served as the chair of 8 and com-
proceedings and journals such as (in alphabetical order) An- mittee member of 11 Ph.D. students. He has served as the
nals of Operations Research, Communications of the ACM, Database chair and committee member of hundreds of Master of Sci-
Engineering, Decision Support Systems, IEEE Transactions on Soft- ence students. Dr. Choobineh is currently an Associate Editor
ware Engineering, Information and Management, Information Strat- of INFORMS Journal on Computing and serves on the editorial
egy, Information Systems, Information Systems Management, board of the International Journal of Business Information
INFORMS Journal on Computing, Intl. J. Of Operations & Production Systems.