The real challenge is determining how much to spend and where to spend. This requires understanding of the economic issues regarding IT security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Axelsson, S., “The Base-Rate Fallacy and the Difficulty of Intrusion Detection,” ACM Transactions on Information and System Security, 3(3), August 2000.
Berinato, S. “Finally, A Return on Security Spending,” CIO Magazine, Feb 15, 2002.
Brynjolfsson, E., “The Productivity Paradox of Information Technology,” Communications of the ACM, 36(12), pp. 66–77, 1993.
Cagnemi, M. P., “Top Technology Issues,” Information Systems Control Journal, 4(6), 2001.
Cavusoglu, H., B. K. Mishra and Raghunathan, S., “Assessing the Value of Detective Control in IT Security,” Proceedings of 8th Americas Conference on Information Systems, pp. 1910–1918, 2002a.
Cavusoglu, H., B. K. Mishra and Raghunathan, S., “Configuration of Intrusion Detection Systems” Working Paper, 2002b.
Cavusoglu, H. and Raghunathan, S., “Configuration of Intrusion Detection Systems: A Comparison of Decision and Game Theoretic Approaches,” International Conference on Information Systems (ICIS), Seattle, Washington, December 2003.
Cavusoglu, H., Mishra, B. K. and Raghunathan, S., “Quantifying the Value of IT Security Mechanisms and Setting Up an Effective Security Architecture,” 2nd Annual Workshop on Economics and Information Security, College Park, Maryland, May 29–30, 2003a.
Cavusoglu, H., B. K. Mishra and Raghunathan, S., “A Model for Evaluating IT Security Investments,” Communications of the ACM, Forthcoming, 2003b.
Cavusoglu, H., B. K. Mishra and Raghunathan, S., “The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers,” International Journal of E-Commerce, Forthcoming, 2004a.
Cavusoglu H., S. Raghunathan and W. T. Yue, “Decision Theoretic and Game Theoretic Approaches to IT Security Investment,” Working Paper, 2004b.
CERT/CC Statistics, 2003, available at http://www.cert.org/stats/cert_stats.html.
Crume, J., Inside Internet Security, Addison Wesley, 2001.
CSC News Release, CSC Survey Reveals Inadequate Information Security Practices Among Companies Worldwide, November 19, 2001, available at http://www.csc.com/newsandevents/news/1584.shtml.
D’Amico, A. D., What Does a Computer Security Breach Really Cost?, Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000.
Denning, D., “Reflections on Cyberweapons Controls,” Computer Security Journal, 16(4), pp. 43–53, 2000.
Escamilla, T., Intrusion Detection: Network Security Beyond the Firewall, John Wiley & Sons, 1998.
Fama, E., L. Fisher, M. C. Jensen and R. Roll, “The Adjustment of Stock Prices to New Information,” International Economic Review, 10(1), pp. 1–21, 1969.
Gaffney, J.E. Jr. and J.W. Ulvila, “Evaluation of Intrusion Detectors: A Decision Theory Approach,” Proceedings of IEEE Symposium on Security and Privacy, pp. 50–61, 2001.
Gordon, L. A. and M. P. Loeb, “The Economics of Information Security Investment,” ACM Transactions on Information and Systems Security, pp. 438–457, November 2002.
Lee, W., W. Fan, M. Miller, S. Stolfo and E. Zadok, “Toward Cost-Sensitive Modeling for Intrusion Detection and Response,” Journal of Computer Security, 10,1/2, pp. 5–22, 2002.
Longstaff, T. A., C. Chittister, R. Pethia and Y. Y. Haimes, “Are We Forgetting the Risks of Information Technology?,” IEEE Computer, pp. 43–51, December 2000.
Moitra, S. D. and S. L. Konda, “The Survivability of Network Systems: An Empirical Analysis,” Technical Report, CMU/SEI-2000-TR-021, December 2000.
Nicholson, L. J., T. F. Shebar and M. R. Weinberg, “Computer Crimes,” The American Criminal Law Review, Spring 2000.
Pastore, M., Companies Lack Understanding of Information Security Issues, Internet. Com, October 10, 2001.
Power, R., “2002 CSI/FBI Computer Crime and Security Survey,” Computer Security Issues and Trends, 8(1), 2002.
Russell, D. and G. T. Gangemi, Computer Security Basics, O’Reilly & Associates, Inc. 1992.
Soo Hoo, K. J., “How Much is Enough? A Risk-Management Approach to Computer Security,” PhD Dissertation, Stanford University, June 2000.
Stoneburner, G., A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, 2001.
Wei, H., D. Frinke, O. Carter and C. Ritter, “Cost-Benefit Analysis for Intrusion Detection Systems,” CSI 28th Annual Computer Security Conference, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer Science + Business Media, Inc.
About this chapter
Cite this chapter
Cavusoglu, H. (2004). Economics of IT Security Management. In: Camp, L.J., Lewis, S. (eds) Economics of Information Security. Advances in Information Security, vol 12. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8090-5_6
Download citation
DOI: https://doi.org/10.1007/1-4020-8090-5_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-8089-0
Online ISBN: 978-1-4020-8090-6
eBook Packages: Springer Book Archive