Economic Analysis of Cyber Security   [open pdf - 534KB]

"The optimal level of cyber security investment depends on factors related to the efficiency of the investment, its marginal cost, and the security returns from the investment, its marginal benefit. These factors are generally related to organizational and performance characteristics, such as an organization's existing information technology (IT) characteristics, the compatibility of available cyber security technologies with current technologies, the security needs of the products and services the organization provides, and the preferences/perceptions of its customers. In addition, expectations of future threats or compromises, vulnerabilities, and technical change influence the timing of investments and thus the costs incurred and the benefits received. [...] This report summarizes our findings about cyber security investment strategies in the private sector based on a series of extensive interviews with U.S. organizations from several industry groups--financial services, health care, manufacturing, universities, Internet service providers (ISPs), electric utilities, and nonprofit research institutions, as well as small businesses. The focus of our study was to investigate the decision-making process related to investments in cyber security. Investments, as we have defined them in this paper, include both hardware and software purchases and the determination and implementation of IT staff procedures and user policies. Essentially, we sought to analyze how organizations determine the level of resources they allocate to cyber security and the solutions they select."

Public Domain
Retrieved From:
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/
Media Type:
Help with citations