Towards effective cybersecurity resource allocation: the Monte Carlo predictive modelling approach

Fagade, Tesleem; Maraslis, Konstantinos; Tryfonas, Theo

doi:10.1504/ijcis.2017.088235

Cited by 6 publications

(3 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Using the extreme value theory, Wang et al (2008) measured the daily risk of an organizational information system and modeled the probability distribution of the daily losses and the time trends associated with the extreme behaviors of users. Along the same line of thinking, Fagade et al . (2017) explored the use of the Monte Carlo predictive simulation model in the allocation of cybersecurity resources.…”

Section: Literaturementioning

confidence: 87%

Cybersecurity awareness training programs: a cost–benefit analysis framework

Zhang

et al. 2021

IMDS

View full text Add to dashboard Cite

PurposeEmployees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.Design/methodology/approachTo help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.FindingsOur findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.Originality/valueOur model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

show abstract

Section: Literaturementioning

confidence: 87%

Cybersecurity awareness training programs: a cost–benefit analysis framework

Zhang

et al. 2021

IMDS

View full text Add to dashboard Cite

show abstract

“…In this case, probabilities were used to measure vulnerabilities and countermeasures to calculate risk, demonstrating that traditional risk estimation procedures can lead to over and underestimations. Similarly, Fagade et al (2017) used a predictive simulation model to show that security resources to protect information assets are frequently over-or under-allocated using traditional allocation methods. A more involved approach to security risk assessment is presented in Bamakan and Dehghanimohammadabadi (2016).…”

Section: Monte Carlo Simulationmentioning

confidence: 99%

Investing in security-as-a-service for e-commerce infrastructure by small and medium enterprises: a Monte Carlo approach

Nazareth,

Choi,

Ngo-Ye

2024

JSIT

View full text Add to dashboard Cite

Purpose This paper aims to examine the conditions under which small and medium enterprises (SMEs) invest in security services when they migrate their e-commerce applications to the cloud environment. Using a risk management perspective, the paper assesses the impact of security service pricing, security incident prevalence and virulence to estimate SME security spending at the market level and draw out implications for SMEs and security service providers. Design/methodology/approach Security risks are inherently characterized by uncertainty. This study uses a Monte Carlo approach to understand the role of uncertainty in the decision to adopt security services. A model relating key security constructs is assembled based on key constructs from the domain. By manipulating security service costs and security incident types, the model estimates the market-level adoption of services, security incidents and damages incurred, along with measures of their relative dispersion. Findings Three key findings emerge from this study. First, adoption of services and protection is higher when tiered security services are provided, indicating that SMEs prefer to choose their security services rather than accept uniformly priced products. Second, SMEs are considered price-sensitive, resulting in a maximum level of spending in the market. Third, results indicate that security incidents and damages can be much higher than the mean in some cases, and this should serve as a cautionary note to SMEs. Originality/value Security spending has been modeled at the firm level. Adopting a market-level perspective represents a novel contribution. Additionally, the Monte Carlo approach provides managers with tangible measures of uncertainty, affording additional information and insight when making security service adoption decisions.

show abstract

“…However, there is some advocacy for its use in this discipline also. Fagade et al [47] explore how a quantitative approach enhances cybersecurity resource allocation while others contend that the qualitative methods so widely used today do not work and need to be replaced with a quantitative approach based on Bayesian statistics and MCS [32].…”

Section: Quantitative Risk Assessment As An Alternativementioning

confidence: 99%

Cyber threat: its origins and consequence and the use of qualitative and quantitative methods in cyber risk assessment

Crotty

Daniel²

2022

ACI

View full text Add to dashboard Cite

PurposeConsumers increasingly rely on organisations for online services and data storage while these same institutions seek to digitise the information assets they hold to create economic value. Cybersecurity failures arising from malicious or accidental actions can lead to significant reputational and financial loss which organisations must guard against. Despite having some critical weaknesses, qualitative cybersecurity risk analysis is widely used in developing cybersecurity plans. This research explores these weaknesses, considers how quantitative methods might address the constraints and seeks the insights and recommendations of leading cybersecurity practitioners on the use of qualitative and quantitative cyber risk assessment methods.Design/methodology/approachThe study is based upon a literature review and thematic analysis of in-depth qualitative interviews with 16 senior cybersecurity practitioners representing financial services and advisory companies from across the world.FindingsWhile most organisations continue to rely on qualitative methods for cybersecurity risk assessment, some are also actively using quantitative approaches to enhance their cybersecurity planning efforts. The primary recommendation of this paper is that organisations should adopt both a qualitative and quantitative cyber risk assessment approach.Originality/valueThis work provides the first insight into how senior practitioners are using and combining qualitative and quantitative cybersecurity risk assessment, and highlights the need for in-depth comparisons of these two different approaches.

show abstract

Towards effective cybersecurity resource allocation: the Monte Carlo predictive modelling approach

Cited by 6 publications

References 12 publications

Cybersecurity awareness training programs: a cost–benefit analysis framework

Cybersecurity awareness training programs: a cost–benefit analysis framework

Investing in security-as-a-service for e-commerce infrastructure by small and medium enterprises: a Monte Carlo approach

Cyber threat: its origins and consequence and the use of qualitative and quantitative methods in cyber risk assessment

Contact Info

Product

Resources

About