This is a case study assignment, the prof asked us to read the article and answer the questions. Answers should be 2 pages long
1) CASE ASSIGNMENT 1: Questions for “Economics of IT Security Management” Case 1) The article questions the loss estimate obtained from CSI/FBI security surveys since they exclude some categories of costs associated with security breaches. It suggests that cost estimate based on the loss in capital markets as a result of a breach in security may be a proxy to estimate true cost of security breaches. a. What do you think about the quality of this cost estimate? Can you think of better ways to capture true cost of security breaches? b. What factors can play an important role in determining the amount of reaction in capital markets as a result of a security breach? c. Can some firms benefit from security breaches experienced by others? 2) Do you agree that security investment can influence the behavior of attackers? If so, what type of attacks can be reduced through security investment? a. How can public policy play an important role in reinforcing firm’s security investments? 3) Configuration of security controls are based on cost elements associated with two types of error: false-positive and false-negative. a. Consider airport security. Why don’t we configure metal detector doors at the gate area so that we will not miss any intruder? b. Biometrics, as an emerging security technology, mainly suffers from false positives. Do you think that we should start using these systems at the expense of false positives? c. Do you think that configuration is a problem for all controls (not necessarily security controls)? Can you give examples from contexts other than security? Microsoft Word - Journal.doc Communications of the Association for Information Systems (Volume 14, 2004) 65-75 65 Economics of IT Security Management: Four Improvements to Current Security Practices by Hasan Cavusoglu, Huseyin Cavusoglu, and S. Raghunathan ECONOMICS OF IT SECURITY MANAGEMENT: FOUR IMPROVEMENTS TO CURRENT SECURITY PRACTICES Hasan Cavusoglu Sauder School of Business The University of British Columbia
[email protected] Huseyin Cavusoglu A.B. Freeman School of Business Tulane University Srinivasan Raghunathan School of Management The University Of Texas At Dallas ABSTRACT The importance of effective management of IT security from an economic perspective increased in recent years because of the increasing frequency and cost of security breaches. Each security breach incurs monetary damage, corporate liability, and loss of credibility. This article presents four important elements that every IT security manager should consider while managing the security function from an economic perspective. The four elements are: estimation of security breach cost, a risk management approach, cost effective technology configuration, and value from deployment of multiple technologies. Keywords: security, economics of security, security practices, security management I. INTRODUCTION Increased interconnectivity among computers enabled by the Internet raised the scale and scope of information technology related crimes. As E-Commerce continues to grow, so does cybercrime. The Department of Justice caseload itself reflects the growth of cybercrime. The number of computer intrusion cases jumped from 547 in 1998 to 1154 in 1999. These figures represent only the reported cases. Many cybercrimes go unreported because firms fear potentially adverse publicity, embarrassment, and negative effects that such disclosures could 66 Communications of the Association for Information Systems (Volume 14, 2004) 65-75 have on consumer and investor confidence. Some intrusions are not detected1. The cost of cybercrime increased over the last several years: • In 2000, a global survey by InformationWeek and PriceWaterhouse Coopers LLP estimated that computer viruses and hacking took a $1.6 trillion toll on the worldwide economy and $266 billion in the United States alone [Denning 2000]. • In 2002, the losses from computer crime incidents reported to the Computer Security Institute (CSI) and FBI survey were $456 million in contrast to $266 million in 2000 and $124 million in 1999 [Power 2002]. IT security is no longer purely the concern of the traditional high-risk category organizations such as those in the defense, military, or government sectors. Firms in all sectors of economy must address IT security concerns because the cost of a single security breach can be huge in terms of monetary damage, corporate liability, and credibility. Even though companies spend more money for the deployment of computer security technologies, the security problem is not getting better. Firms need to recognize that even the best technology is not foolproof. Furthermore, even if such a fool-proof technology exists, it may not always be desirable for all firms. The fundamental premise of this article is that firms should manage security investment as any other investment by analyzing the cost-benefit tradeoffs. The growing importance of analyzing these tradeoffs is evident from the emphasis and discussion on Return on Security Investment (ROSI) by both academics and practitioners [SBQ 2001, Cavusoglu et al. 2004b]. The focus of IT security management is shifting from what is technically possible to what is economically efficient. “The first rule of IT security is that you [firms] should never spend more to protect something than a thing is actually worth.” Crume [2001] In other words, each firm should strike an appropriate balance between its risk exposure and the opportunity to mitigate the risk through security controls. This balance must be defined within the operational context of the business: firm and hacker characteristics. The ultimate decision is what to protect and how much to protect it. This article presents four important elements that every IT security manager should consider while managing the security function from an economic perspective. The four elements are: estimation of security breach cost (Section II), a risk management approach (Section III), cost effective technology configuration (Section IV), and value from deployment of multiple technologies (Section V). Our purpose is to draw attention to the reasons why current security practices are inadequate and propose solutions to address problems overlooked by current practices. II. ESTIMATION OF COST OF A SECURITY BREACH The foremost requirement for analyzing IT security from an economic perspective is estimating the cost of security, or lack thereof. This estimate directly impacts investment in security technologies since any economic decision for or against an investment is made based on such estimates. Unfortunately, current practices grossly underestimate the cost of security breaches, which often lead to underinvestment in security. Underestimates occur because firms consider only tangible short-term costs associated with security breaches. They do not consider long-term or intangible costs, often because they are unable to measure them. 1 The FBI’s National Computer Crime Squad estimates that between 85 and 97 percent of computer intrusions go undetected [Spencer 2000]. Communications of the Association for Information Systems (Volume 14, 2004) 65-75 67 Economics of IT Security Management: Four Improvements to Current Security Practices by Hasan Cavusoglu, Huseyin Cavusoglu, and S. Raghunathan In the 2002 CSI-FBI survey of 503 respondents from organizations throughout the United States, 80% reported financial losses from security breaches but only 44% (223) of them were able to quantify them2. The total reported losses, as highlighted above, were $456 million and the average loss was $2.0 million per organization across all type of breaches. The highest reported losses were for theft of proprietary information, reported by 41 organizations with an average loss of $4.2 million per organization. The sabotage of data networks cost an average of $352 thousand while denial-of-service resulted in $245 thousand loss per organization [Power 2002]. The costs associated with restoring a system after a security breach and business loss during the disruption provide at best a partial picture. The true cost of a security breach is multifaceted. Information security is as a value creator that supports and enables e-business, rather than only as a cost of doing business. A secure environment for information and transaction flow can create value for the organization as well as its partners and customers [Cavusoglu et al. 2004a]. By the same token, security lapses can lead to breach of consumer confidence and trust in addition to lost business and third party liability. In a survey by Media Metrix, only 12.1% of the U.S. companies with a Web presence cite direct financial loss as a concern in a security breach, but more than 40% cite consumer trust and confidence [Pastore 2001]. The costs of security breaches can be broadly classified into transitory (or short-term) costs that are incurred only during the period in which the breach occurs and permanent (or long-term) costs that are incurred after the immediate effects of the breach are dealt with. The transitory costs of security breaches include (1) lost business and worker productivity because of breached information resources, labor, and material costs required to detect, contain, and repair and reconstitute the breached resources, (2) costs associated with finding, evidence collection, and prosecution of the attacker, and (3) media related costs to providing information to customers and the public. In the long run a security breach affects the firm’s future cash flows. These costs include those related to loss of customers that switch to competitors, inability to attract new customers because of perceived poor security, loss of trust of customers and business partners, potential future legal liabilities arising out of the breach, and cost of competitor’s access to confidential or proprietary information. In addition, the firm may face increased insurance cost and higher capital cost in debt and equity markets because of perceived increase of business risk. Costs can further be classified into tangible and intangible costs. It is possible to estimate some costs such as lost sales, material and labor, and