{"title":"Economics and the cyber challenge","authors":"Simon Walker","doi":"10.1016/j.istr.2011.12.003","DOIUrl":null,"url":null,"abstract":"<div><p>Economics can be used as a tool to explain, describe, and to a certain extent predict many forms of human behaviour. However, there is only a limited body of work on its application to information security, much of which is acknowledged as partial or incomplete. As a consequence, there is a paucity of robust explanatory or predictive models that are tuned for the peculiarities of the “cyber” challenge, either to organisations, or, at a higher level, the nation state.</p><p>The effect of this is that the base arguments for information security business cases are often weak or flawed; as a result, there is an argument that both organisations and nation states will therefore tend to underinvest in information security. To improve this position, there would be benefits for information security, as a profession adopting economic models used in other areas of endeavour that historically have suffered similar problems. One potential model is full-cost accounting.</p><p>However, there are a number of further implications. These include an underlining of the importance of information security professional “speaking business language”. Also highlighted is the potential value of building a common knowledge base of the true cost of security failures, akin to the actuarial bodies of knowledge used in the insurance industry, rather than the partial and imperfect measures in use today.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 1","pages":"Pages 9-18"},"PeriodicalIF":0.0000,"publicationDate":"2012-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2011.12.003","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Security Technical Report","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1363412711000860","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 7
Abstract
Economics can be used as a tool to explain, describe, and to a certain extent predict many forms of human behaviour. However, there is only a limited body of work on its application to information security, much of which is acknowledged as partial or incomplete. As a consequence, there is a paucity of robust explanatory or predictive models that are tuned for the peculiarities of the “cyber” challenge, either to organisations, or, at a higher level, the nation state.
The effect of this is that the base arguments for information security business cases are often weak or flawed; as a result, there is an argument that both organisations and nation states will therefore tend to underinvest in information security. To improve this position, there would be benefits for information security, as a profession adopting economic models used in other areas of endeavour that historically have suffered similar problems. One potential model is full-cost accounting.
However, there are a number of further implications. These include an underlining of the importance of information security professional “speaking business language”. Also highlighted is the potential value of building a common knowledge base of the true cost of security failures, akin to the actuarial bodies of knowledge used in the insurance industry, rather than the partial and imperfect measures in use today.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
