Economic Analysis of Cyber Security
Abstract
Organizations typically use robust analysis techniques to determine how best to invest scarce resources that will lead to increased revenue and decreased costs. However, few organizations attempt such analysis for their cyber security mechanisms. Key performance and evaluation metrics are not available, so organizations rely on qualitative assessments; and even those with well-developed tracking systems do not have the tools to derive the cyber security data for use in quantitative budgeting processes. Using a case study approach, we interviewed organizations in a variety of sectors to understand their investment and implementation strategies, particularly focusing on the factors driving their level of security and the resources they rely on for planning and resource allocation. This report presents our findings and introduces an approach to consider the trade-offs between various investment and implementation strategies and public policy options. In general, we found that most organizations make decisions related to cyber security investments at the IT staff level, but there is a trend toward more management-level (e.g., risk management) decisions. Further, our analysis indicates that some organizations are more proactive (vice reactive) than others, and that the proactive organizations are also more reliant on external information resources when making investment decisions.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jul 01, 2006
- Accession Number
- ADA455398
Entities
People
- Albert N. Link
- Alex V. Rogozhin
- Brent R. Rowe
- Michael P. Gallaher
Organizations
- RTI International