Economic Methods and Decision Making by Security Professionals

  • Adrian Baldwin
  • Yolanta Beres
  • Geoffrey B. Duggan
  • Marco Casassa Mont
  • Hilary Johnson
  • Chris Middup
  • Simon Shiu
Conference paper


Increasing reliance on IT and the worsening threat environment mean that organisations are under pressure to invest more in information security. A challenge is that the choices are hard: money is tight, objectives are not clear, and there are many relevant experts and stakeholders. A significant proportion of the research in security economics is about helping people and organisations make better security investment and policy decisions.This paper looks at the impact of methods based on security economics on a set of decision makers. Importantly, the study focused upon experienced security professionals using a realistic security problem relating to client infrastructure. Results indicated that the methods changed the decision processes for these experienced security professionals. Specifically, a broader range of factors were accounted for and included as justifications for the decisions selected. The security professional is an (important and influential) stakeholder in the organization decision making process, and arguably a more complete understanding of the problem is more suitable for persuading a broader business audience.More generally the study complements all research in security economics that is aimed at improving decision making, and suggests ways to proceed and test for the impact of new methods on the actual decision makers.


User Satisfaction Cognitive Dissonance Confirmation Bias Security Investment Decision Option 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson R, Moore T (2006) The economics of information security. Science 314:610–613CrossRefGoogle Scholar
  2. 2.
    Anderson R (2001) Why information security is hard: an economic perspective. In: Proceedings of 17th annual computer security applications conference (ACSAC)Google Scholar
  3. 3.
    Beautement A, Coles R, Griffin J, Ioannidis C, Monahan B, Pym D, Sasse A, Wonham M (2009) Modelling the human and technological costs and benefits of USB memory stick security. In: Managing information risk and the economics of security. SpringerGoogle Scholar
  4. 4.
    Baldwin A, Mont M (2009) Simon Shiu - using modelling and simulation for policy decision support in identity management. In: IEEE 10th symposium on policies for distributed systems and networks, ieee policy 2009 symposium, 20–22 July. LondonGoogle Scholar
  5. 5.
    Beres Y, Griffin J, Shiu S, Heitman M, Markle D, Ventura P (2008) Analysing the performance of security solutions to reduce vulnerability exposure windows, in annual computer security applications conference (ACSAC) CA IEEE. pp 33–42Google Scholar
  6. 6.
    Beres Y, Pym D, Shiu S (2010) Decision support for systems security investment. In: Network Operations and Management Symposium Workshops (IEEE/IFIP, NOMS WkspsGoogle Scholar
  7. 7.
    Beautement A, Sasse A, Wonham M (2008) The compliance budget: managing security behaviour in organisations. In: New Security Paradigms Workshop (NSPW) 2008, Plumpjack Squaw Valley Inn, Olympic, California, USA, pp 22–25Google Scholar
  8. 8.
    Casassa Mont M, Beres Y, Pym D and Shiu S (2010) Economics of identity and access management: providing decision support for investments. In: Network Operations and Management Symposium Workshops (IEEE/IFIP, NOMS WkspsGoogle Scholar
  9. 9.
    Collinson M, Monahan B, D Pym (2009) A logical and computational theory of located resources. J Logic Comput (in press) DOI: 10.1093/logcom/exp021Google Scholar
  10. 10.
    Collinson M, Monahan B, Pym D Semantics for structured systems modelling and simulation. In: Proceedings of simutools 2010, ACM digital library and EU digital libraryGoogle Scholar
  11. 11.
    Ericsson KA, Lehmann AC (1996) Expert and exceptional performance: Evidence of maximal adaptation to task constraints. Ann Rev Psychol 47:273–305CrossRefGoogle Scholar
  12. 12.
    Elstein AS, Shulman LS, Sprafka SA (1978) Medical problem solving: an analysis of clinical reasoning. MA: Harvard University Press, CambridgeCrossRefGoogle Scholar
  13. 13.
    Festinger L (1957) A theory of cognitive dissonance. Stanford University Press, Stanford, CAGoogle Scholar
  14. 14.
    French S, Maule J, N Papamichail (2009) Decision behavior, analysis and support. Cambridge University PressGoogle Scholar
  15. 15.
    Gigerenzer G, Goldstein D (1996) Reasoning the fast and frugal way: Models of bounded rationality. Psychol Rev 103:650–669CrossRefGoogle Scholar
  16. 16.
    Gordon LA, Loeb MP (2006) Managing cybersecurity resources: a cost-benefit analysis. McGraw HillGoogle Scholar
  17. 17.
    Goetzmann WM, Peles N (1997) Cognitive dissonance and mutual fund investors. J Financ Res 2:145–158CrossRefGoogle Scholar
  18. 18.
    Ioannidis C, Pym D, Williams J (2009) Investments and Trade-offs in the Economics of Information Security. In: Proceedings of financial cryptography and data security 2009, LNCS 5628. Springer, pp 148–162Google Scholar
  19. 19.
    ISO 27000 series of standards for information security and security management. see
  20. 20.
    Kahneman D (2003) A perspective on judgment and choice: Mapping bounded rationality. Amer Psychol 58:697–720CrossRefGoogle Scholar
  21. 21.
    Keeney RL, Raiffa H (1976) Decisions with multiple objectives: preferences and value tradeoffs. Wiley, New York. Reprinted, Cambridge Univ. Press, New York (1993)Google Scholar
  22. 22.
    Lipshitz R, Klein G, Orasanu J, Salas E (2001) Taking stock of naturalistic decision making. J Beh Dec Mak 14:331–352CrossRefGoogle Scholar
  23. 23.
    Nickerson RS (1998) Confirmation bias: a ubiquitous phenomenon in many guises. Rev General Psychol 2:175–220CrossRefGoogle Scholar
  24. 24.
    Nisbett RE, Wilson TD (1977) Telling more than we can know: verbal reports on mental processes. Psychol Rev 84:231–259CrossRefGoogle Scholar
  25. 25.
    Parkin S, van Moorsel A, Inglesant P, Sasse A (2010) A stealth approach to usable security: helping it security managers to identify workable security solutions. In: The proceedings of the new security paradigms workshop (NSPW) 2010. Concord, MA, USAGoogle Scholar
  26. 26.
    Payne JW (1976) Task complexity and contingent processing in decision making: an information search and protocol analysis. Org Behav Human Perform 16:366–387CrossRefGoogle Scholar
  27. 27.
    Payne JW, Bettman JR, Johnson EJ (1993) The adaptive decision maker. Cambridge University Press, New YorkCrossRefGoogle Scholar
  28. 28.
    Payne SJ, Howes A, Reader WR (2001) Adaptively distributing cognition: a decision-making perspective on human-computer interaction. Behav Inform Technol 20(5): 339–346CrossRefGoogle Scholar
  29. 29.
    Russo JE, Medvec VH, Meloy MG (1996) The distortion of information during decisions. Org Behav Human Dec Processes 66:102–110CrossRefGoogle Scholar
  30. 30.
    Schneier B (2008) Security ROI, in Schneier on security blog. 2 Sept see{\_}1.html
  31. 31.
    Salkovskis PM (2003) Empirically grounded clinical interventions: cognitive-behavioural therapy progresses through a multi-dimensional approach to clinical science. Behav Cognitive Psychother 30:3–9Google Scholar
  32. 32.
    Schulz-Hardt S, Frey D, Luthgrens C, Moscovici S (2000) Biased information search in group decision making. JPers Soc Psychol 78:655–669CrossRefGoogle Scholar
  33. 33.
    UK Government technology strategy board (TSB) funded collaborative research project. see
  34. 34.
    Tuchman BW (1984) The march of folly: from Troy to Vietnam. Ballantine Books, New YorkGoogle Scholar
  35. 35.
    Wason PC (1966) Reasoning. In: Foss B (ed) New horizons in psychology. Penguin, Harmonsworth, Middlesex, England, pp. 135–151Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Adrian Baldwin
    • 1
  • Yolanta Beres
    • 1
  • Geoffrey B. Duggan
    • 2
  • Marco Casassa Mont
    • 1
  • Hilary Johnson
    • 2
  • Chris Middup
    • 3
  • Simon Shiu
    • 1
  1. 1.HP Labs BristolEnglandUK
  2. 2.University of BathEnglandUK
  3. 3.Open UniversityEnglandUK

Personalised recommendations