The New Economics of Information SecurityThe New Economics of Information Security

The point is that net present value, which is consistent with the notion of maximizing the value of a firm, compares apples with apples over the entire life of an information-security investment. In contrast, ROI is based on an accrual system of accounting and is short-term in focus.

One way around this ROI dilemma is to think in terms of the economic rate of return (the internal rate of return), but then you must keep in mind that maximizing a company's internal rate of return isn't consistent with maximizing the value of a business.

So far, all we've considered is what might be called the economics of investments in information security (which also implicitly considers risk assessment through the discounting process associated with the present-value concept). But economics as a discipline has a lot more tools beyond the ability to make decisions about the advisability of investments. For example, economics has wrestled with the problem of what it calls "externalities."

A classic example of an externality, according to L. Jean Camp, an associate professor of public policy at the Kennedy School of Government at Harvard University, is pollution from a smoke stack. "The factory that's causing the pollution doesn't bear any of the costs of the pollution that are incurred downwind," Camp says. The cost of the environmental damage is external to the economic calculations the factory makes.

In a paper she co-authored with Catherine Wolfram four years ago, Camp argued that security provides an excellent example of the externality principle.

If one company does a poor job on its cybersecurity, there's usually an impact on other companies. The recent MyDoom worm is a good example of how lax security by one company can have a negative impact on others.

Another area where economics has direct relevance for information-security managers is information sharing. Information sharing has become a mantra of the Department of Homeland Security, as well as others concerned about improving cybersecurity (such as information-sharing analysis centers). While a laudable goal, information sharing has been shown by economists to be a far more difficult concept to put into practice than many realize. We've found that without the appropriate economic incentives, the free-rider problem usually prevents organizations from obtaining the potential value of information sharing in an information-security setting.

The above provides just a smattering of how economics relates to information security. However, the message should be clear: Information-security managers need to view security through the lens of economics as well as a technical-security lens if they want to successfully carry out their jobs and level the playing field during budget requests. The sooner information-security managers realize this fact, the better off all of us will be in terms of cybersecurity.

Lawrence A. Gordon is Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at the Robert H. Smith School of Business, University of Maryland. Reach him at [email protected].

Robert Richardson is the editorial director at the Computer Security Institute, a sister organization to information . He can be reached at [email protected].

Photograph by Stone

Continue to the sidebar: Cybercrimes' True Price: Crime May Not Pay, But Someone Has To Pick Up The Cost