Framing Information Security Budget Requests to Maximize Investments
نویسنده
چکیده
Nearly one in three security practitioners believe that the organization they work for under-funds information security efforts. Rational choice and economic models have been developed to help decision makers determine the optimal amount they should spend to protect a set of information assets. These models presume investment decisions are rationally made, despite long-standing behavioral and decision making research to the contrary that shows decisions are not entirely rational when risk and uncertainty are involved. The purpose of this research was to empirically validate our hypothesis that information security investment decision makers exhibit irrational decision making behavior when faced with competing budget alternatives involving risk. Specifically, we test the Framing Effect under Prospect Theory, which suggests that individuals exhibit unique risk attitudes when evaluating gain related and loss related risk decisions. The results of an on-line survey empirically validates our hypothesis that information security investment decision makers in fact exhibit irrational decision making behavior when faced with competing budget alternatives involving risk. High-level decision makers exhibit irrational decision making behavior concerning information security when faced with competing budget alternatives involving risk. The findings suggest that justifying budget requests in terms of assets protected will often garner greater budgets than those framed in terms of the negative ramifications if security investments are not made. The findings also suggest that existing rational choice and economic models for information security investments should be augmented with measurement of risk perception and account for expected decision biases.
منابع مشابه
Interdependent Security Game Design over Constrained Linear Influence Networks
In today's highly interconnected networks, security of the entities are often interdependent. This means security decisions of the agents are not only influenced by their own costs and constraints, but also are affected by their neighbors’ decisions. Game theory provides a rich set of tools to analyze such influence networks. In the game model, players try to maximize their utilities through se...
متن کاملA supply chain network game theory model of cybersecurity investments with nonlinear budget constraints
Abstract: In this paper, we develop a supply chain network game theory model consisting of retailers and demand markets with retailers competing noncooperatively in order to maximize their expected profits by determining their optimal product transactions as well as cybersecurity investments subject to nonlinear budget constraints that include the cybersecurity investment cost functions. The co...
متن کاملThe Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare
The Sarbanes-Oxley legislation is a mandate that is bringing new attention to IT security as a critical part of the risk management framework for the dual purposes of certifying internal controls and attesting to the accuracy of information. Regulatory compliance, security audits and mandatory information disclosure about internal weaknesses can be very costly from a budget standpoint because i...
متن کاملOptimal Investment in Information Security: A Business Value Approach
With increasing level of security threats and constant budget limitations, it is critical for a company to know how much and where to invest in information security. To date, all of the studies—academia or practitioner—focus on risk reduction as the primary effect of security investments, assuming that they generate no direct business benefits. However, some potential business values such as br...
متن کامل