Cybersecurity economics – balancing operational security spending

Ekelund, Stale; Iskoujina, Zilia

doi:10.1108/itp-05-2018-0252

Cited by 19 publications

(9 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers from both the industry and academia have developed several useful methods and tools that can help assess a company's level of security, for instance, BitSight (Bannam, 2017), SecurityScorecard (Herath et al ., 2010), Value at Risk (Ekelund and Iskoujina, 2019), Factor Analysis of Information Risk (Freund and Jones, 2014), SAFE (Security Assessment Framework for Enterprise) platform (Lucideus Incorporated, 2020), and Cyber Doppler (Boston Consulting Group, 2019). These methods and tools can be employed to evaluate a company's security level before and after implementing a CSAT program and thus quantify its benefit.…”

Section: Analysis and Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Cybersecurity awareness training programs: a cost–benefit analysis framework

Zhang

et al. 2021

IMDS

View full text Add to dashboard Cite

PurposeEmployees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.Design/methodology/approachTo help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.FindingsOur findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.Originality/valueOur model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

show abstract

Section: Analysis and Discussionmentioning

confidence: 99%

“…Prior studies have explored the management of cybersecurity resources from a cost–benefit perspective (e.g. Gordon and Loeb, 2006; Ekelund and Iskoujina, 2019; Gordon et al ., 2020). However, very few of them have analyzed CSAT programs from such an aspect.…”

Section: Introductionmentioning

confidence: 99%

Cybersecurity awareness training programs: a cost–benefit analysis framework

Zhang

et al. 2021

IMDS

View full text Add to dashboard Cite

show abstract

“…Moreover, Couce-Vieira, Insua, and Kosgodagan (2020) pointed out that the impact of breaches not only affects the company but also has implications for its stakeholders, highlighting the importance of knowing how to correctly manage the information transmitted to customers and shareholders. Also, Ekelund and Iskoujina (2019) highlight the responsibility that companies have to their clients and to the administration, which can translate into compensation and associated costs. 8 Therefore, breaches not only have economic, financial and management implications for the company but also the firm's environment can be threatened by its practices, and by how the company manages its cybersecurity.…”

Section: Research Modelmentioning

confidence: 99%

The severity and effects of Cyber-breaches in SMEs: a machine learning approach

Arroyabe

Arróyabe

2021

Enterprise Information Systems

View full text Add to dashboard Cite

In this paper, we investigate cyber breaches and their effects on small and medium enterprises (SMEs), considering the role that cybersecurity plays in SMEs, and the importance that SMEs have in the economy. Using the Cyber Security Breaches Survey data, the first contribution extends previous works confirming that SMEs receive a wide variety of breaches. Secondly, we have characterized the degree of severity of breaches in SMEs, based on disruption time and their cost. Our last contribution consists of determining the effect and severity of breaches in SMEs in terms of economic, financial and management impacts.

show abstract

“…Much of the published research on cybersecurity economics has been focused on the economic valuation of the assets and finding the optimal security investment level in organizations to protect those assets [15][16][17][18][19][20][21]. However, cybersecurity economics not only is concerned with whether an organization is spending enough to secure their assets and whether the security budget is spent on the right security measures and controls [22,23], but is also concerned with how a digital ecosystem and its operating agents function and behave. Cybersecurity economics covers the regulatory changes and competitive pressures (e.g., how cybersecurity can be aligned with broader business processes [24]).…”

Section: Introductionmentioning

confidence: 99%

Systematically Understanding Cybersecurity Economics: A Survey

2021

View full text Add to dashboard Cite

Insights in the field of cybersecurity economics empower decision makers to make informed decisions that improve their evaluation and management of situations that may lead to catastrophic consequences and threaten the sustainability of digital ecosystems. By drawing on these insights, cybersecurity practitioners have been able to respond to many complex problems that have emerged within the context of cybersecurity over the last two decades. The academic field of cybersecurity economics is highly interdisciplinary since it combines core findings and tools from disciplines such as sociology, psychology, law, political science, and computer science. This study aims to develop an extensive and consistent survey based on a literature review and publicly available reports. This review contributes by aggregating the available knowledge from 28 studies, out of a collection of 628 scholarly articles, to answer five specific research questions. The focus is how identified topics have been conceptualized and studied variously. This review shows that most of the cybersecurity economics models are transitioning from unrealistic, unverifiable, or highly simplified fundamental premises toward dynamic, stochastic, and generalizable models.

show abstract

Cybersecurity economics – balancing operational security spending

Cited by 19 publications

References 16 publications

Cybersecurity awareness training programs: a cost–benefit analysis framework

Cybersecurity awareness training programs: a cost–benefit analysis framework

The severity and effects of Cyber-breaches in SMEs: a machine learning approach

Systematically Understanding Cybersecurity Economics: A Survey

Contact Info

Product

Resources

About