Increasing reliance on IT and the worsening threat environment mean that organisations are under pressure to invest more in information security. A challenge is that the choices are hard: money is tight, objectives are not clear, and there are many relevant experts and stakeholders. A significant proportion of the research in security economics is about helping people and organisations make better security investment and policy decisions. This paper looks at the impact of methods based on security economics on a set of decision makers. Importantly, the study focused upon experienced security professionals using a realistic security problem relating to client infrastructure. Results indicated that the methods changed the decision processes for these experienced security professionals. Specifically, a broader range of factors were accounted for and included as justifications for the decisions selected. The security professional is an (important and influential) stakeholder in the organization decision making process, and arguably a more complete understanding of the problem is more suitable for persuading a broader business audience. More generally the study complements all research in security economics that is aimed at improving decision making, and suggests ways to proceed and test for the impact of new methods on the actual decision makers.
|Publication status||Published - 2011|
|Event||Tenth Workshop on Economics of Information Security (WEIS 2011) - George Mason University, Virginia|
Duration: 14 Jun 2011 → 15 Jun 2011
|Conference||Tenth Workshop on Economics of Information Security (WEIS 2011)|
|City||George Mason University, Virginia|
|Period||14/06/11 → 15/06/11|