Figure 1 - uploaded by Russell C. Thomas
Content may be subject to copyright.
Idealized Probability Distribution for an Enterprise's Total Cost of (In)security
Source publication
Many problems in cyber trust exist at least partially because the people and institutions involved are not properly motivated to solve them. The incentives are often perverse, misaligned, or missing. By improving economic, social, and personal incentives, cyber trust can be significantly improved. The incentive-based approach is based on modern ent...
Context in source publication
Citations
... In the case of the Internet, the SP is best positioned to detect malicious activity; hence, they would be the practical choice for taking on the responsibility for controlling malicious activity originating from their customers. The intention should not be to advocate legal sanctions, rather, to answer the growing call to action for incentive-based trust in the cyberinfrastructure (Thomas and Amon, 2007). ...
Security problems in general, and email spam in particular, are growing faster than the Internet itself and threatening its role as a critical infrastructure. Technical solutions, regardless of how good they are, may by themselves be inadequate to address these problems, which are also the result of distorted incentives and organizational structure of the Internet. A combination of incentive systems, public policy, insurance systems, reputation, and audit systems is required to ensure technology is deployed optimally to minimize these problems. This chapter proposes such an institutional change in the Internet. In the process, it describes an analytical model using game theory to coordinate incentives by implementing a certification scheme for service providers that emphasizes feasibility. In addition, the chapter explores implications of the mechanism in the context of current technical approaches, and extends the use of economic mechanisms to security in general, and to additional institutional frameworks for insurance, audit, and reputation. The chapter addresses issues related to public policy, law, social computing, and cyber warfare in the context of this novel approach of tackling security from the viewpoint of coordinating incentives.
This work develops an abstract, theory-founded understanding of organization-internal information security. For this purpose, established knowledge from the field of information security is restructured on the basis of two different dimensions: The historical dimension distinguishes three "eras" of information security and relates them to concurrent changes of prevailing computing paradigms. The "security triangle" identifies and characterizes three different "meta-measures" for realizing information security inside organizations and highlights the existence of a higher-level regulatory framework. Additionally, the work is based on principles from the field of New Institutional Economics. In particular, the concepts of information asymmetries, transaction costs and principal-agent relations are explicated as well as their relevance to the establishment of cooperation among individuals. Cooperation is in turn modeled as consisting of the two partial problems of coordination and motivation. These theoretical foundations are then merged into an economically inspired positive model of information security inside organizations. The model provides abstract and theory-founded explanations for the changes of prevailing information security practices that happened in the past. Besides this explanatory use, the positive model is also applied in a prospective manner. Current technological developments will presumably lead to increasingly "interwoven" computing structures and thus to another change of the prevailing computing paradigm. The application of the model to the changed givens suggests that now-established practices like behavioral guidelines or those means usually associated with the term "security culture" will prove inefficient and thus inadequate in the future. Organizations will therefore have to use alternative approaches or to modify existing ones for realizing information security under the changed circumstances. Various possibilities for doing so have been suggested in the past. Some of these are evaluated on the basis of the economically inspired, positive model. This analysis leads to well-founded suggestions which of the approaches should be applied under what conditions. Furthermore, the economic understanding also supports the development of new approaches that have so far not been thought of. As a final aspect, the future role of the higher-level regulatory framework is illuminated. It is shown that this framework will have to be adopted to the upcoming changes in order to protect organizations from being forced to apply highly inefficient practices for compliance reasons alone. Overall, the positive model developed in this work provides explanations for what can be observed in the field of organization-internal information security, allows for well-founded predictions about what can be expected for the future and leads to normative arguments regarding necessary changes of established approaches and practices. It might therefore prove valuable for future research in a multitude of ways.
