Cybersecurity economics – balancing operational security spending

Tools

Ekelund, Stale and Iskoujina, Zilia ORCID: https://orcid.org/0000-0002-2145-6619 (2019) Cybersecurity economics – balancing operational security spending. Information Technology & People, 32 (5). pp. 1318-1342. ISSN 0959-3845

[thumbnail of Binder3]
Preview
 PDF (Binder3) - Accepted Version
Available under License Creative Commons Attribution Non-commercial.
Download (1MB) | Preview

Abstract

Purpose: The purpose of this paper is to demonstrate how to find the optimal investment level in protecting an organisation’s assets. Design/methodology/approach: This study integrates a case study of an international financial organisation with various methods and theories in security economics and mathematics, such as value-at-risk (VaR), Monte Carlo simulation, exponential and Poisson probability distributions. Thereby it combines theory and empirical findings to establish a new approach to determining optimal security investment levels. Findings: The results indicate that optimal security investment levels can be found through computer simulation with historical incident data to find VaR. By combining various scenarios, the convex graph of the risk cost function has been plotted, where the minimum of the graph represents the optimal invest level for an asset. Research limitations/implications: The limitations of the research include a modest number of loss observations from one case study, and the use of normal probability distribution. The approach has limitations where there are no historical data available or the data has zero losses. These areas should undergo further research including larger data set of losses and exploring other probability distributions. Practical implications: The results can be used by leading business practitioners to assist them with decision making on investment to the increased protection of an asset. Originality/value: The originality of this research is in its new way of combining theories with historical data to create methods to measure theoretical and empirical strength of a control (or set of controls) and translating it to loss probabilities and loss sizes.

Item Type: Article
Faculty \ School: Faculty of Social Sciences > Norwich Business School
Depositing User: LivePure Connector
Date Deposited: 03 Mar 2023 12:30
Last Modified: 07 Oct 2023 01:18
URI: https://ueaeprints.uea.ac.uk/id/eprint/91345
DOI: 10.1108/ITP-05-2018-0252

Downloads

Downloads per month over past year

Actions (login required)

View Item View Item