Skip to main content
SpringerLink
Log in
Book cover

OTM Confederated International Conferences "On the Move to Meaningful Internet Systems"

OTM 2010: On the Move to Meaningful Internet Systems: OTM 2010 pp 619–638Cite as

Using Real Option Thinking to Improve Decision Making in Security Investment

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNISA,volume 6426)

Abstract

Making well-founded security investment decisions is hard: several alternatives may need to be considered, the alternatives’ space is often diffuse, and many decision parameters that are traded-off are uncertain or incomplete. We cope with these challenges by proposing a method that supports decision makers in the process of making well-founded and balanced security investment decisions. The method has two fundamental ingredients, staging and learning, that fit into a continuous decision cycle. The method takes advantage of Real Options thinking, not only to select a decision option, but also to compound it with other options in following decision iterations, after reflection on the decision alternatives previously implemented. Additionally, our method is supported by the SecInvest tool for trade-off analysis that considers decision parameters, including cost, risks, context (such as time-to-market and B2B trust), and expected benefits when evaluating the various decision alternatives. The output of the tool, a fitness score for each decision alternative, allows to compare the evaluations of the decision makers involved as well as to include learning and consequent adjustments of decision parameters. We demonstrate the method using a three decision alternatives example.

Keywords

  • Security Decision Support
  • Security Economics
  • Extended Enterprise
  • Bayesian Belief Network (BBN)
  • Real Option Analysis
  • Outsourcing

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AICPA: SAS No. 70, Service Organizations (2000), http://www.aicpa.org/download/members/div/auditstd/AU-00324.PDF

  2. Amram, M., Kulatilaka, N.: Real Options: Managing Strategic Investment in an Uncertain World. Harvard Business School Press, Cambridge (1999)

    Google Scholar 

  3. Anderson, R.: Why Information Security is Hard - An Economic Perspective. In: ACSAC 2001: Proc. 17th Annual Computer Security Applications Conference, pp. 358–365. IEEE Press, Los Alamitos (December 2001)

    Google Scholar 

  4. AS2 Processing for EDI, http://www.dcs-is-edi.com/AS2.html (last visited on March 2010)

  5. Benaroch, M., Kauffman, R.J.: A Case for Using Real Options Pricing Analysis to Evaluate Information Technology Project Investment. Information Systems Research 10(1), 70–86 (1999)

    CrossRef  Google Scholar 

  6. Berthold, S., Bhme, R.: Valuating Privacy with Option Pricing Theory. In: Economics of Information Security and Privacy, pp. 187–209. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  7. den Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps - a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)

    CrossRef  Google Scholar 

  8. Brown, W., Nasuti, F.: Sarbanes-Oxley and Enterprise Security: IT Governance and What It Takes to Get the Job Done. Information Systems Security 14(5), 15–28 (2005)

    CrossRef  Google Scholar 

  9. Interview with Carol Borghesi, MD, BT Retail Customer Contact Center. Global Services Media (December 2005), http://www.globalservicesmedia.com/BPO/Customer-Care/Interview-with-Carol-Borghesi-MD-BT-Retail-Customer-Contact-Center/23/9/0/general200705211 (last visited May 2010)

  10. Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: ICSE 2002: Proc. of the 24rd International Conference on Software Engineering, pp. 232–240. ACM Press, New York (2002)

    CrossRef  Google Scholar 

  11. Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT Security Management: Four Improvements to Current Security Practices. Communications of the Association for Information Systems 14, 65–75 (2004)

    Google Scholar 

  12. Daneva, M.: Applying Real Options Thinking to Information Security in Networked Organizations. Tech. Rep. TR-CTIT-06-11, Centre for Telematics and Information Technology, University of Twente, Enschede (August 2006)

    Google Scholar 

  13. Dawson, K., Weston, R.: Call Centre Hang-ups. Global Services Media (December 2005), http://www.globalservicesmedia.com/BPO/Customer-Care/Call-Center-Hang-ups/23/9/0/general20070521987 (last visited May 2010)

  14. Dynes, S., Eric, H.B., Johnson, M.E.: Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm. In: Proc. of Int. Workshop on the Economics of Information Security (2005)

    Google Scholar 

  15. Cloud Computing Risk Assessment. ENISA: European Network and Information Security Agency (November 2009)

    Google Scholar 

  16. Erdogmus, H.: Valuation of Learning Options in Software Development under Private and Market Risk. The Engineering Economist 47(3), 308–353 (2002)

    CrossRef  Google Scholar 

  17. Franqueira, V.N.L., van Cleeff, A., van Eck, P.A.T., Wieringa, R.J.: External Insider Threat: a Real Security Challenge in Enterprise Value Webs. In: Proc. of the Fifth Int. Conf. on Availability, Reliability and Security (ARES 2010), pp. 446–453. IEEE Computer Society Press, Los Alamitos (February 2010)

    CrossRef  Google Scholar 

  18. Gordon, L.A., Loeb, M.P.: Budgeting Process for Information Security Expenditures. Communications of the ACM 49(1), 121–125 (2006)

    CrossRef  Google Scholar 

  19. Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Information Security Expenditures and Real Options: A Wait-and-See Approach. Computer Security Journal 19(2), 1–7 (2003)

    Google Scholar 

  20. Gran, B.A.: The use of Bayesian Belief Networks for combining disparate sources of information in the safety assessment of software based systems. Ph.D. thesis, Norwegian University of Sciences and Technology, Norway (2002)

    Google Scholar 

  21. Holman, D., Batt, R., Holtgrewe, U.: The Global Call Centre Report: International Perspectives on Management and Employment (2007)

    Google Scholar 

  22. Houmb, S.H.: Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD) Framework. Ph.D. thesis, Norwegian University of Science and Technology, Trondheim (November 2007)

    Google Scholar 

  23. Houmb, S.H., Chakraborty, S., Ray, I., Ray, I.: Using Trust-Based Information Aggregation for Predicting Security Level of Systems. In: To appear in Proc. of the 24th Annual IFIP WG 11.3 Working Conf. on Data and Applications Security and Privacy XXIV. pp. 241–256. Springer, Heidelberg (June 2010)

    Google Scholar 

  24. HUGIN: tool made by Hugin Expert AS (2009), http://www.hugin.com/ (last visited on June 2010)

  25. ISO/IEC-27005: Information technology. Security techniques. Information security risk management (2008)

    Google Scholar 

  26. Jensen, F.V.: Introduction to Bayesian Networks. Springer, New York (1996)

    Google Scholar 

  27. Li, J., Su, X.: Making Cost Effective Security Decision with Real Option Thinking. In: ICSEA 2007: Proc. 2nd Int. Conf. on Software Engineering Advances, pp. 14–22. IEEE Press, Los Alamitos (2007)

    Google Scholar 

  28. Safety and Risk Evaluation using Bayesian Nets. ESPIRIT Framework IV nr. 22187 (1999), http://www.hugin.dk/serene/ (last visited on June 2010)

Download references

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Virginia N. L. Franqueira & Maya Daneva

  2. SecureNOK Ltd., Sandnes, Norway

    Siv Hilde Houmb

Authors
  1. Virginia N. L. Franqueira
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Siv Hilde Houmb
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maya Daneva
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STAR Lab, Vrije Universiteit Brussel (VUB), Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. Curtin University of Technology, DEBII - CBS, De Laeter Way, Bentley, 6102, WA, Australia

    Tharam Dillon

  3. Facultad de Informática, Universidad Politécnica de Madrid, Campus de Montegancedo S/N, 28660, Boadilla del Monte, Madrid, Spain

    Pilar Herrero

Rights and permissions

Reprints and Permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Franqueira, V.N.L., Houmb, S.H., Daneva, M. (2010). Using Real Option Thinking to Improve Decision Making in Security Investment. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2010. OTM 2010. Lecture Notes in Computer Science, vol 6426. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16934-2_46

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16934-2_46

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16933-5

  • Online ISBN: 978-3-642-16934-2

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation