Abstract

Several research works have proposed economic and financial models to determine the optimal amount of investment in the security of information systems, showing the use of diverse techniques such as Game Theory (Grossklags et al. 2008), Utility Mdodels (Huang and Behara 2013; Miaoui et al. 2014), Return on Information Security Investment (Sonnenreich 2006), and Value at Risk (J. Wang et al. 2008). While many of these works showed the importance of investing in both self-protection and Cyber insurance (to reduce and transfer the residual risk of loss to insurance companies), none of them has considered the importance of security investment in forensic investigation to support insurance claims, ensure a better reimbursement of loss in case of security breach, and increase the return of investment in security. We propose in this paper to distribute the investment in information security into investment in Self-Defense to protect against security attacks, investment in Insurance to transfer the residual risk of loss to insurance companies, and investment in Forensic Readiness to maximize the firm’s potential to collect appropriate digital evidence, and generate provable insurance claims about occurred security breaches. An economic model based on the theory of utility is designed to compute the optimal total investment, taking into consideration the interdependence between the aforementioned three investments. An analysis is conducted to assess the variation of the optimal investments in self-defense and forensic readiness, and the cost of residual risk, with respect to the rate of insurance reimbursement, security vulnerabilities, and potential financial loss.

Download

Share

COinS