An Example Collaborative Exercise for Decision Making in Investment in Cyber Security

The economics of investment in cyber security is a widely researched field. This paper describes the use of a multi-player collaborative exercise implemented on computers to help companies better understand investment decisions in cyber security. The investment model driving the collaborative exercise is an expected-value decision analysis that compares the reduction of cyber risks with other investment opportunities and accounts for the potential of government regulatory action when an integrated national impact of attacks exceeds certain acceptable levels. The exercise was implemented with over twenty live participants in June 2006 at a workshop of the Institute for Information Infrastructure Protection (I3P) addressing Process Control Systems (PCS) Security. The aim of the exercise was to illustrate the impact of potential government regulation on the complex decision process of determining appropriate investment levels for added cyber security by individual companies. At the workshop the exercise provided an opportunity for knowledgeable security professionals to collaborate and compare their investment decisions against those of other similar companies and against the results of the expected value decision analysis. This paper describes the foundations of the exercise and an hypothetical interpretation, by a company that would employ the exercise, of the results from its application at the PCS workshop.