An Insurance Style Model for Determining the Appropriate Investment Level against Maximum Loss arising from an Information Security Breach

The economic consequences of breaches in information security cannot be underestimated. According to the World Bank 2002 survey on reported cyber crime the US$ value of the effects from intrusions from a variety of sources has been increasing at an accelerating rate over the past decade. This survey contains a list of reported intrusions recording criminal and employee abuse with losses ranging from several thousand dollars to many million dollars and the victims of these security breaches are in the main players belonging to the global financial service industries. The KPMG 2002 Global Security Survey covering major international firms reported that the average expenditure on information security represented approximately 10% of the total spend on IT and that the level was expected to rise in the future. The average cost of a breach in information security was estimated at just over $100 thousand. It concludes that reporting procedures concerning hostile intrusions into the information bank were in several cases crude and the methods for formally measuring the economic consequences of breaches lacked the sophistication to provide guidance of any value. The Deloitte Touche Tohmatsu 2003 Global Security Survey makes similar conclusions. It points out that although there is a greater awareness on the increased sophistication of attacks on computer information and encouraging trends for financial institutions to treat information security seriously, greater all-round effort is still required on all aspects of information security.