Compliance or Security, What Cost? (Poster)

  • Craig Wright
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6812)


This paper presents ongoing work toward measuring the effectiveness of audit and assessment as an information security control. The trend towards the application of security control measures which are employed to demonstrate compliance with legislation or regulations, rather than to actually detect or prevent breaches occurring is demonstrated to result in a misallocation of funds. Information security is a risk function. Paying for too much security can be more damaging in economic terms than not buying enough. This research reveals several major misconceptions among businesses about what security really means and that compliance is pursued to the detriment of security. In this paper, we look at some of the causes of compliance based audit failures and why these occur. It is easier to measure compliance than it is to measure security and spending money to demonstrate compliance does not in itself provide security. When the money spent on achieving compliance reduces the funding available for control measures that may actually improve security problems may arise.


Audit Economics Incentives Risk Security Compliance 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R.: Why information security is hard – an economic perspective. In: 17th Annual Computer Security Applications Conference, pp. 358–365 (2001)Google Scholar
  2. 2.
    Halderman, J.: To Strengthen Security, Change Developers’ Incentives. IEEE Security and Privacy 8(2), 79–82 (2010)CrossRefGoogle Scholar
  3. 3.
    Katz, M.L., Shapiro, C.: Network externalities, competition, and compatibility. The American Economic Review 75, 424 (1985)Google Scholar
  4. 4.
    Roese, N.J., Olson, J.M.: Better, stronger, faster: Self-serving judgment, affect regulation, and the optimal vigilance hypothesis. Perspectives on Psychological Science 2, 124–141 (2007)CrossRefGoogle Scholar
  5. 5.
    Turcato, L.M.: Use of COBIT as a Risk Management & Audit Framework for Access Compliance, San Francisco ISACA Fall Conference (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Craig Wright
    • 1
  1. 1.Computer Science EditorialSpringer-VerlagHeidelbergGermany

Personalised recommendations