Abstract
This paper endogenizes the value of an information set which has to be produced and protected. The profit is inverse U shaped in security investment and production effort. The breach probability is commonly assumed to decrease convexly in security investment, which means that modest security investment is sufficient to deter most perpetrators. We allow the breach probability to be not only convex, but concave, which means that substantial security investment is needed to deter most perpetrators. Convexity versus concavity depends on the security environment, perpetrators, technology, and law enforcement. A firm strikes a balance between producing and protecting an information set dependent on seven model parameters for production, protection, convexity, concavity, vulnerability, and resource strength.
Similar content being viewed by others
Notes
k = ∞ gives a step function when S(z,v) = 1 when z < 1, and S(z,v) decreases abruptly to 0 when z = 1. Conversely, k = 0 gives S(z,v) = 1 when z = 0, and S(z,v) decreases abruptly to 0 when z > 0.
References
Cefaratti, M.A., Lin, H., Wallace, L. (2011). The Information Security Control Environment, Internal Auditor, The Institute of Internal Auditors Inc, Florida, http://www.theiia.org/intAuditor/feature-articles/2011/April/the-information-security-control-environment/.
Gordon, L. A., & Loeb, M. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.
Hausken, K. (2005). Production and conflict models versus rent seeking models. Public Choice, 123(1), 59–93.
Hausken, K. (2006). Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.
Acknowledgment
I thank an anonymous referee of this journal for useful comments.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hausken, K. Returns to information security investment: Endogenizing the expected loss. Inf Syst Front 16, 329–336 (2014). https://doi.org/10.1007/s10796-012-9390-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-012-9390-9