Private Sector Cyber Security Investment: An Empirical Analysis

Organizations typically use very robust analysis techniques to determine how best to spend resources in order to increase revenue and decrease costs or losses. However, few organizations attempt such analysis processes to determine the level and type of cyber security mechanisms in which they invest and which they maintain. Key performance and evaluation metrics are not available, so those organizations that use quantitative analysis techniques typically have well developed internal tracking systems and have spent considerable time analyzing their internal data. Using a case study approach, we conducted a series of interviews with large organizations in a variety of sectors in order to understand their investment and implementation strategies, particularly focusing on the factors which drive the level of security they maintain and the information resources they rely on for planning and resource allocation. Here we present a qualitative discussion of some of our findings and introduce a conceptual approach to consider the trade-offs between various investment and implementation strategies and some public policy options. This paper is based on an ongoing study funded by the U.S. Department of Homeland Security.