Economic Security Metrics

This chapter surveys economic approaches for security metrics, among which we could identify two main areas of research. One has its roots in investment and decision theory and is mainly pursued in the field of information technology-oriented business administration. It has yielded a number of quantitative metrics that can be applied as guidelines in investment decisions as well as for the evaluation of existing security measures. The second area of research has ancestors in micro-economics. It deals with market concepts to gather security-relevant information and extract quantitative indicators on information security properties. 1 Metrics for Security Investments The previous chapter has demonstrated that it is essential to measure organisations’ security at different levels of detail. This also applies to the investment perspective. In the recent years, organisations see an increasing demand for determining the cost and benefit of IT security investments. Possible reasons include compliance with regulatory requirements, emerging information security threats, or increased dependence of business processes on information technology. Apart from definitions for metrics, this section will show the motivations behind metrics as well as challenges in quantifying the value of IT security investments.