Economic Considerations of Information Security and Its Management - Research Paper Example

Topic: Economic considerations of information security and its management Economic considerations of information security and its management Information security entails economic incentives since it involves technological mechanisms. The increase in cases of denial-of-service attacks, spams and botnets may be ascribed to incentives among the defenders being misaligned as well as skillful exploitation from attackers. Security considerations along with economic incentives influence the design and implementation of surveillance and tracking systems. The current information age founded in computers has evolved the manner in which firms carry out their operations along with the need to address information security. Undeniably, information security has evolved to be as significant to contemporary organizations as the security of perceptible physical resources. It is not surprising that the quickly increasing body of research dwells on issues of information security. Research should focus largely on the technical dynamics of the protection of information in computer-based systems through encryption, hardware controls as well as software and data controls. The behavioral dynamics associated with the prevention breaches in information security have attracted a lot of attention in the recent times among researchers. Conversely, there has been very little attention towards addressing the economic aspects of information security; particularly with the magnitude of resources that have been directed to improve information management by organizations, what these organizations require is a framework that will assist in deriving optimal levels of spending on information security. Economic perspectives typically recognize that even though some degree of investment in information security is noble, additional security is not always worth the associated costs (Bidgoli, 2006). Therefore, it is important to consider the manner in which vulnerabilities of information as well as losses that are linked to the vulnerability impact the ideal amount of resources that are supposed to be directed to making information secure. For a wide variety of probability functions in regards to security breach, the ideal amount that should spent on information security is a rising function based in the degree of the vulnerability of the information. However, in some cases, the ideal amount to spend on security of information initially increases and later declines with similar degrees of vulnerability of information (Rao & Upadhyaya, 2009). The managers who are responsible for allocation of information security budgets should typically concentrate that is categorized in the mid-range of vulnerability as far as breaches and other threats to the information is concerned. Therefore, an important effort for the managers should entail partitioning the types of information into levels of security vulnerability to breaches and other threats ranging from low to high. Other sets of information sets may be hard to protect at high degrees of security and thus it is better to defend this information at a moderate degree. The managers should consider a variety of aspects of security trade off including the possibility of risk, the severity of risk, the amount of expense as well as the efficiency of counter-measures used to alleviate the risks. Consultant and vendors of information security usually dwell on the huge potential losses that may arise from security breaches so that they can to sell their services and products. The experienced information security managers have an awareness of the possible losses and know that they are usually a magnitude order smaller than the possible loss. The ideal amount to spend on information security is normally less than the losses that can be expected from security breaches. Investments in information security can entail spillovers, this may lead to positive externalities, and benefits can accumulate when improvements in trust when transacting with specific organizations expand the overall size of the market within an industry. Various industries have faced positive demand shocks through effective attempts to cross-sell and upsell, as a result of alleviating the fears of the customers in regards to issued associated with information security and privacy (Böhme, 2013). These benefits are evidently significant in realms like e-commerce, and for instance, the pioneering endeavors by Amazon in the protection of the integrity of their customer’s data, if the customers had positive ripple effects on the magnitude of the potential markets of other companies in the same industry. This resulted in a rise in online purchase since the confidence of the customers to reveal their credit card numbers as well as other personal information has increased significantly. Economics can assist in explaining the reasons why the state of security of information is not significant, but it is important to consider the economic principles that are applicable to information security. The Scarcity principle simply demonstrates that having more of one good aspect will mean having less of another one and is also considered as the security trade-off. The principle of cost benefit entails taking no actions unless their marginal benefits are as significant as their marginal costs and is typically connected to attack profiles. The incentive principle considers comparisons between costs and benefits as being relevant to the identification of decisions, which should be made by practical people, as well as the prediction of the actual decisions that they settle on. These aspects assist on explaining the various failures linked to information security, and scarcity and cost benefit assist in explaining the reasons why information security does not get the same amount of resources as other aspects of IT. On the other hand, the incentive principle is critical to explaining reasons why information usually lacks from large commodities like duplications of Microsoft windows. An additional economic theory that is employed in repeatedly in various areas is the tragedy of the commons that provides a description of the manner in which more than one person who acts independently for their personal interest consumes the common resource (Johnson, 2008). Numerous researchers have analogized that the internet is the commons and no specific group of interest that is incentivized to safeguard it wholly. For instance, even though individual consumers may be incentivized to buy anti-virus software for the protection of their systems, it is unlikely that they will but the software to safeguard attacks aimed at a third party. The theory of the lemon market foretells that that products associated with information technology will have intrinsic security, and since security is a commodity based on trust, the buyer is not in a position to differentiate between a used car in good condition and a lemon (Moore, Pym & Ioannidis, 2010). Therefore, the buyer will only be willing to pay the price of the lemon, implying that products, which are secure, cannot be easily distinguished from those, which are insecure, and this makes companies become less incentivized to create secure products since the buyers will not know the difference. Therefore, the economic theory can be used to elucidate the incentives that led to the prevailing state of security. Comparative table Scarcity
Principle Also referred to as security trade-off and proposes that when more than one good aspect exists, then there will be less of the others. Cost‐Benefit
Principle Suggests that actions should not be taken unless their marginal benefits are as significant as the associated marginal costs and is usually linked to attack profiles. Incentive
Principle Comparisons between costs and benefits become relevant for the identification of decisions which should be made by practical people while at the same time forecasting the same decisions. References Bidgoli, H. (2006). Handbook of Information Security Volume 2. Hoboken: John Wiley & Sons. Böhme, R. (2013). The Economics of Information Security and Privacy. Berlin, Heidelberg: Springer Berlin Heidelberg. Johnson, M. (2008). Managing information risk and the economics of security. New York: Springer. Moore, T., Pym, D., & Ioannidis, C. (2010). Economics of information security and privacy. New York: Springer. Rao, H., & Upadhyaya, S. (2009). Information assurance, security and privacy services. Bingley, UK: Emerald. Read More