Investing in Information Systems Security: Some Insights on Resource Allocation
Speaker: Senay Solak
John F. Smith Memorial Professor and Department Chair Operations and Information Management Department, Isenberg School of Management, University of Massachusetts Amherst
When: 02:00 AM – 03:00 PM, April 7th, 2023
Abstract:
Information security is an inseparable operational component for any business that utilizes information systems. Given this significance, firms are increasingly concerned about the cost-effectiveness of their investments in information security. In this study, we seek to address two key decisions by a firm related to such investments: how much the firm should invest in information systems security, and how this investment should be allocated over different categories of security countermeasures. As part of our findings, we derive a simple functional relationship between the potential total losses of a firm and the optimal amount that the firm should invest in information systems security. Related to this, we find that firms in the finance, energy, and technology sectors should invest twice as much in trying to detect information security breaches, than in trying to prevent them. In other industries, information security investments should be split evenly between preventive and detective measures. Moreover, the overall information security budgets for certain types of firms in the former set of industries should be on average 15% higher than other industries, even when the potential total losses under a security breach are the same. As some additional conclusions, we find that the value of these optimal policies is higher for small to medium-sized firms, while a gradual investment strategy over a budget period is better than early utilization of the budget at the beginning of this period.
Flyer for Event: Link