Risk-based Valuation of Investments in Information Security - A Combination Approach
Full text | |||
Source | Journal of Information Systems Security Volume 8, Number 1 (2012)
Pages 43–55
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Punnet Prakash — Virginia Commonwealth University, USA | ||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
Information systems security is among the top concerns of both the public and private sectors. However, the valuation of investments in information security has proven difficult. This paper argues that the price that the market charges a firm to bear the risk associated with its information systems forms a benchmark for investment in information security. At this price, the firm is indifferent between investing in security and transferring information systems security’s risk to an outside bearer, most often insurers. Thus, the actuarial techniques that insurers employ to set premiums can be used to value investment in systems security. Actuarial methods to compute premiums are based on expected loss plus a risk premium that aims to account for unexpected loss. This paper uses a combination of the value-at-risk concept and the actuarial frequency-severity analysis to estimate risk premiums and expected loss, respectively. The decision analytic techniques for valuing investments in information security previously suggested in the literature are based on expected loss alone and thus are special instances of this broader approach.
Keywords
Risk, Management, Information Systems, Security, Valuation, Actuarial Method, Value-at-Risk, Frequency, Severity, Annualized Loss Expectancy
References
Behara, R.S., Huang, C.D., and Hu, Qing (2010) “A System Dynamics Model of Information Security Investments,” Journal of Information System Security, 6(2), 30-46.
Benaroch, M., and Kauffman, R. (1999) “A Case For Using Real Options Pricing Analysis to Evaluate Information Technology Project Investments.” Information Systems Research, 10(1), 70–86.
Bodnar, G.M., Hayt, G.S., and Marston, R.C. (1998) “1998 Wharton Survey of Financial Risk Management by US Non-financial Firms,” Financial Management, 27(4), 70-91.
Borison, A. (2005) “Real Options Analysis: Where Are the Emperor’s Clothes?,” Journal of Applied Corporate Finance, 17(2), 17-31.
Caudle, S.L., W.L. Gorr, and Newcomer, K.E. (1991) “Key Information Systems Management Issues for the Public Sector,” MIS Quarterly, 15, 171-188.
Cavusoglu, H., Mishra, B., and Raghunathan, S. (2004) “A Model for Evaluating IT Security Investments,”Communications of the ACM, 47(7), 87-92.
Cavusoglu, H., Raghunathan, S., and Yue, W.T. (2008) “Decision-Theoretic and Game- Theoretic Approaches to IT Security Investment,” Journal of Management Information Systems, 25(2), 281–304.
Daneva, M. (2006) “Applying Real Options Thinking to Information Security in Networked Organizations,” Centre for Telematics and Information Technology (CITT) Technical Report TR-CTIT-06-11, University of Twente. Enschede, The Netherlands.
Embrechts, P. (2001) “Integrated Risk Management For Banking and Insurance”, Latsis Symposium, September 2001.
GAO (Government Accountability Office) United States, (2005) “Report to Congressional Requesters on INFORMATION SECURITY - Emerging Cybersecurity Issues Threaten Federal Information Systems”.
Gordon, L.A., and Loeb, M.P. (2002) “The Economics of Information Security Investment,” ACM Transactions on Information and Systems Security, 5(4), 438-457.
Gordon, L.A., Loeb, M.P., and Lucyshyn, W. (2003) “Information Security Expenditures and Real Options: A Wait-and-See Approach,” Computer Security Journal, 19(2), 1-7.
Grubbstrom R.W., and Tang, O. (2006) “The Moments and Central Moments of a Compound Distribution”, European Journal of Operational Research, 170, 106-119.
Hartog C., and Herbert, M. (1986) “1985 Opinion Survey of MIS Managers: Key Issues,” MIS Quarterly, 10(4), 351-361.
Herath, H.S.B., and Herath, T.C. (2009) “Investments in Information Security: A Real Options Perspective with Bayesian Postaudit,” Journal of Management Information Systems, 25(3), 337–375.
Hoo, K.S. (2000) “How Much Is Enough? A Risk-Management Approach to Computer Security,” Working Paper, Consortium for Research on Information Security and Policy (CRISP), Stanford University, Palo Alto,
California.
Rainer, R.K., Snyder, C.A. Jr., and Carr H.H. (1991) “Risk analysis for Information Technology,” Journal of Management Information Systems, 8(1), 129-147.