IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Cryptanalysis and protocol failures
Communications of the ACM
Role-Based Access Control Models
Computer
A taxonomy for key escrow encryption systems
Communications of the ACM
Information systems planning: a model and empirical tests
Management Science
Security in computing
Information security for Internet commerce
Internet economics
The ARBAC97 model for role-based administration of roles
ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Balancing cooperation and risk in intrusion detection
ACM Transactions on Information and System Security (TISSEC)
Identification of host audit data to detect attacks on low-level IP vulnerabilities
Journal of Computer Security
NetSTAT: a network-based intrusion detection system
Journal of Computer Security
Configuring role-based access control to enforce mandatory and discretionary access control policies
ACM Transactions on Information and System Security (TISSEC)
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
A cost-based framework for analysis of denial of service in networks
Journal of Computer Security
Using information security as a response to competitor analysis systems
Communications of the ACM
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Journal of Computer Security - IFIP 2000
A model for evaluating IT security investments
Communications of the ACM - Has the Internet become indispensable?
Evaluating information security investments using the analytic hierarchy process
Communications of the ACM - Medical image modeling
Inoculation strategies for victims of viruses and the sum-of-squares partition problem
SODA '05 Proceedings of the sixteenth annual ACM-SIAM symposium on Discrete algorithms
Budgeting process for information security expenditures
Communications of the ACM - Personal information management
Aligning information security investments with a firm's risk tolerance
InfoSecCD '05 Proceedings of the 2nd annual conference on Information security curriculum development
Inoculation strategies for victims of viruses and the sum-of-squares partition problem
Journal of Computer and System Sciences
Information Systems Frontiers
Economic aspects of information security: An emerging field of research
Information Systems Frontiers
An experimental economics approach toward quantifying online privacy choices
Information Systems Frontiers
Expert Systems with Applications: An International Journal
The management of access controls/biometrics in organizations
InfoSecCD '06 Proceedings of the 3rd annual conference on Information security curriculum development
Is Information Security Under Control?: Investigating Quality in Information Security Management
IEEE Security and Privacy
Archetypal behavior in computer security
Journal of Systems and Software
Network externalities, layered protection and IT security risk management
Decision Support Systems
Necessary measures: metric-driven information security risk assessment and decision making
Communications of the ACM
Information security and risk management
Communications of the ACM - The psychology of security: why do good users make bad decisions?
Towards a standard approach for quantifying an ICT security investment
Computer Standards & Interfaces
Capturing industry experience for an effective information security assessment
International Journal of Information Systems and Change Management
Secure or insure?: a game-theoretic analysis of information security games
Proceedings of the 17th international conference on World Wide Web
Optimal resource allocation for securing an enterprise information infrastructure
Proceedings of the 4th international IFIP/ACM Latin American conference on Networking
Security and insurance management in networks with heterogeneous agents
Proceedings of the 9th ACM conference on Electronic commerce
The importance of information security spending: an economic approach
Proceedings of the 2008 Spring simulation multiconference
A Layered Decision Model for cost-effective system security
International Journal of Information and Computer Security
Risk Based Authorisation for Mobile Ad Hoc Networks
AIMS '07 Proceedings of the 1st international conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management
An economic mechanism for better Internet security
Decision Support Systems
Understanding the Value of Countermeasure Portfolios in Information Systems Security
Journal of Management Information Systems
Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment
Journal of Management Information Systems
Choice and Chance: A Conceptual Model of Paths to Information Security Compromise
Information Systems Research
Investments in Information Security: A Real Options Perspective with Bayesian Postaudit
Journal of Management Information Systems
Estimating the market impact of security breach announcements on firm values
Information and Management
A formal model for pricing information systems insurance contracts
Computer Standards & Interfaces
Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers
Journal of Management Information Systems
Information security investment decisions: evaluating the Balanced Scorecard method
International Journal of Business Information Systems
Improving CVSS-based vulnerability prioritization and response with context information
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Quantitative analysis of information security interdependency between industrial sectors
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Particle swarm optimization approach for information security investment decision
CA '07 Proceedings of the Ninth IASTED International Conference on Control and Applications
Uncertainty in the weakest-link security game
GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Information Technology and Management
Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers
Journal of Management Information Systems
Strategic games on defense trees
FAST'06 Proceedings of the 4th international conference on Formal aspects in security and trust
Business oriented information security management: a layered approach
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Dependability metrics
Assurance for federated identity management
Journal of Computer Security - Digital Identity Management (DIM 2007)
Fuzzy economic decision-models for information security investment
IMCAS'10 Proceedings of the 9th WSEAS international conference on Instrumentation, measurement, circuits and systems
A risk-metric framework for enterprise risk management
IBM Journal of Research and Development
Information security investment decision-making based on fuzzy economics
WSEAS TRANSACTIONS on SYSTEMS
Can competitive insurers improve network security?
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
A web-based multi-perspective decision support system for information security planning
Decision Support Systems
Metrics for characterizing the form of security policies
The Journal of Strategic Information Systems
Security metrics and security investment models
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Firms' information security investment decisions: Stock market evidence of investors' behavior
Decision Support Systems
Optimal information security investment with penetration testing
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
The impact of information security breaches: Has there been a downward shift in costs?
Journal of Computer Security
A simulation-driven approach for assessing risks of complex systems
EWDC '11 Proceedings of the 13th European Workshop on Dependable Computing
Risk-neutral evaluation of information security investment on data centers
Journal of Intelligent Information Systems
Formal analysis of security metrics and risk
WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
How bad are selfish investments in network security?
IEEE/ACM Transactions on Networking (TON)
Information systems resources and information security
Information Systems Frontiers
Assessing the risk of an information infrastructure through security dependencies
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
Did IT consulting firms gain when their clients were breached?
Computers in Human Behavior
Safeguard information infrastructure against DDoS attacks: experiments and modeling
CANS'05 Proceedings of the 4th international conference on Cryptology and Network Security
On the limits of cyber-insurance
TrustBus'06 Proceedings of the Third international conference on Trust, Privacy, and Security in Digital Business
A theoretical model for the average impact of attacks on billing infrastructures
MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
A learning-based approach to reactive security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
When information improves information security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Are markets for vulnerabilities effective?
MIS Quarterly
International Journal of Information Management: The Journal for Information Professionals
Profit-maximizing firm investments in customer information security
Decision Support Systems
Managing the investment in information security technology by use of a quantitative modeling
Information Processing and Management: an International Journal
Institutional Influences on Information Systems Security Innovations
Information Systems Research
Explaining investors' reaction to internet security breach using deterrence theory
International Journal of Electronic Finance
Information Systems and e-Business Management
Theorizing Information Security Success: Towards Secure E-Government
International Journal of Electronic Government Research
Information Resources Management Journal
Hacker Behavior, Network Effects, and the Security Software Market
Journal of Management Information Systems
On identifying proper security mechanisms
ICT-EurAsia'13 Proceedings of the 2013 international conference on Information and Communication Technology
The economic impact of cyber terrorism
The Journal of Strategic Information Systems
A novel approach to evaluate software vulnerability prioritization
Journal of Systems and Software
How many attackers can selfish defenders catch?
Discrete Applied Mathematics
Information Sciences: an International Journal
The burden of proof and the optimal security investment of firms in ubiquitous computing
Personal and Ubiquitous Computing
Cyber-risk decision models: To insure IT or not?
Decision Support Systems
IT security auditing: A performance evaluation decision model
Decision Support Systems
Hi-index | 0.02 |
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.