Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Christos Ioannidis, David J. Pym, Julian Williams

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

This paper introduces and demonstrates a simple analytically tractable method of mapping utility theory to information security problems and in particular optimal timing for vulnerability management. Our primary focus is on the decision to defer costly deterministic investment, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with fixed and variable costs that imports a nominal rigidity into the investment decision-making profile. The rigidity introduces a delay in the implementation of security measures, resulting in cyclical investments in information security. We show how such cycles emerge endogenously from the policy-maker's chosen trade-offs between system and security attributes.
Original languageEnglish
Title of host publicationEconomics of Information Security and Privacy III
EditorsBruce Schneier
Place of PublicationNew York
PublisherSpringer
Pages171-191
Number of pages21
ISBN (Electronic)978-1-4614-1981-5
ISBN (Print)978-1-4614-1980-8, 978-1-4939-0036-7
DOIs
Publication statusPublished - 2013
EventThe Tenth Workshop on Economics of Information Security (WEIS 2011) - Virginia, United Kingdom
Duration: 14 Jun 201115 Jun 2011

Conference

ConferenceThe Tenth Workshop on Economics of Information Security (WEIS 2011)
CountryUnited Kingdom
CityVirginia
Period14/06/1115/06/11

Fingerprint

Fixed costs
Risk aversion
Information security
Rigidity
Vulnerability
Politicians
Utility theory
Trade-offs
Optimal timing
Variable cost
Nominal rigidities
Import
Investment decision-making
Costs

Cite this

Ioannidis, C., Pym, D. J., & Williams, J. (2013). Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach. In B. Schneier (Ed.), Economics of Information Security and Privacy III (pp. 171-191). New York: Springer . https://doi.org/10.1007/978-1-4614-1981-5_8

Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security : A Utility-theoretic Approach. / Ioannidis, Christos; Pym, David J.; Williams, Julian.

Economics of Information Security and Privacy III. ed. / Bruce Schneier. New York : Springer , 2013. p. 171-191.

Research output: Chapter in Book/Report/Conference proceedingChapter

Ioannidis, C, Pym, DJ & Williams, J 2013, Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach. in B Schneier (ed.), Economics of Information Security and Privacy III. Springer , New York, pp. 171-191, The Tenth Workshop on Economics of Information Security (WEIS 2011), Virginia, United Kingdom, 14/06/11. https://doi.org/10.1007/978-1-4614-1981-5_8
Ioannidis C, Pym DJ, Williams J. Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach. In Schneier B, editor, Economics of Information Security and Privacy III. New York: Springer . 2013. p. 171-191 https://doi.org/10.1007/978-1-4614-1981-5_8
Ioannidis, Christos ; Pym, David J. ; Williams, Julian. / Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security : A Utility-theoretic Approach. Economics of Information Security and Privacy III. editor / Bruce Schneier. New York : Springer , 2013. pp. 171-191
@inbook{04ce37cc0a4a487e99c74cc0977d2ef0,
title = "Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach",
abstract = "This paper introduces and demonstrates a simple analytically tractable method of mapping utility theory to information security problems and in particular optimal timing for vulnerability management. Our primary focus is on the decision to defer costly deterministic investment, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with fixed and variable costs that imports a nominal rigidity into the investment decision-making profile. The rigidity introduces a delay in the implementation of security measures, resulting in cyclical investments in information security. We show how such cycles emerge endogenously from the policy-maker's chosen trade-offs between system and security attributes.",
author = "Christos Ioannidis and Pym, {David J.} and Julian Williams",
year = "2013",
doi = "10.1007/978-1-4614-1981-5_8",
language = "English",
isbn = "978-1-4614-1980-8",
pages = "171--191",
editor = "Bruce Schneier",
booktitle = "Economics of Information Security and Privacy III",
publisher = "Springer",

}

TY - CHAP

T1 - Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security

T2 - A Utility-theoretic Approach

AU - Ioannidis, Christos

AU - Pym, David J.

AU - Williams, Julian

PY - 2013

Y1 - 2013

N2 - This paper introduces and demonstrates a simple analytically tractable method of mapping utility theory to information security problems and in particular optimal timing for vulnerability management. Our primary focus is on the decision to defer costly deterministic investment, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with fixed and variable costs that imports a nominal rigidity into the investment decision-making profile. The rigidity introduces a delay in the implementation of security measures, resulting in cyclical investments in information security. We show how such cycles emerge endogenously from the policy-maker's chosen trade-offs between system and security attributes.

AB - This paper introduces and demonstrates a simple analytically tractable method of mapping utility theory to information security problems and in particular optimal timing for vulnerability management. Our primary focus is on the decision to defer costly deterministic investment, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with fixed and variable costs that imports a nominal rigidity into the investment decision-making profile. The rigidity introduces a delay in the implementation of security measures, resulting in cyclical investments in information security. We show how such cycles emerge endogenously from the policy-maker's chosen trade-offs between system and security attributes.

U2 - 10.1007/978-1-4614-1981-5_8

DO - 10.1007/978-1-4614-1981-5_8

M3 - Chapter

SN - 978-1-4614-1980-8

SN - 978-1-4939-0036-7

SP - 171

EP - 191

BT - Economics of Information Security and Privacy III

A2 - Schneier, Bruce

PB - Springer

CY - New York

ER -