Economic methods and decision making by security professionals

A Baldwin, Y Beres, Geoffrey B Duggan, M Cassassa Mont, H Johnson, C Middup, S Shiu

Research output: Contribution to conferencePaper

Abstract

Increasing reliance on IT and the worsening threat environment mean that organisations are under pressure to invest more in information security. A challenge is that the choices are hard: money is tight, objectives are not clear, and there are many relevant experts and stakeholders. A significant proportion of the research in security economics is about helping people and organisations make better security investment and policy decisions. This paper looks at the impact of methods based on security economics on a set of decision makers. Importantly, the study focused upon experienced security professionals using a realistic security problem relating to client infrastructure. Results indicated that the methods changed the decision processes for these experienced security professionals. Specifically, a broader range of factors were accounted for and included as justifications for the decisions selected. The security professional is an (important and influential) stakeholder in the organization decision making process, and arguably a more complete understanding of the problem is more suitable for persuading a broader business audience. More generally the study complements all research in security economics that is aimed at improving decision making, and suggests ways to proceed and test for the impact of new methods on the actual decision makers.
Original languageEnglish
Publication statusPublished - 2011
EventTenth Workshop on Economics of Information Security (WEIS 2011) - George Mason University, Virginia
Duration: 14 Jun 201115 Jun 2011

Conference

ConferenceTenth Workshop on Economics of Information Security (WEIS 2011)
CityGeorge Mason University, Virginia
Period14/06/1115/06/11

Fingerprint Dive into the research topics of 'Economic methods and decision making by security professionals'. Together they form a unique fingerprint.

Cite this