What Should You Pay to Protect Your Data? The Economics of Cyber Security. / Ertan, Amy.

In: Cyber World , Vol. March 2018 edition, 09.03.2018, p. 50-55.

Research output: Contribution to non-peer-reviewed publicationInternet publication

Published

Standard

What Should You Pay to Protect Your Data? The Economics of Cyber Security. / Ertan, Amy.

In: Cyber World , Vol. March 2018 edition, 09.03.2018, p. 50-55.

Research output: Contribution to non-peer-reviewed publicationInternet publication

Harvard

APA

Vancouver

Ertan A. What Should You Pay to Protect Your Data? The Economics of Cyber Security. Cyber World . 2018 Mar 9;March 2018 edition:50-55.

Author

Ertan, Amy. / What Should You Pay to Protect Your Data? The Economics of Cyber Security. In: Cyber World . 2018 ; Vol. March 2018 edition. pp. 50-55.

BibTeX

@misc{af3745d6cc61418a88c71762b12b3dfe,
title = "What Should You Pay to Protect Your Data? The Economics of Cyber Security",
abstract = "A CISO{\textquoteright}s primary duty is to protect their organisation{\textquoteright}s data. The past year has seen an increase in the frequency of major cyber incidents, including evolving malware, DDoS, social engineering and supply-chain attacks. These events serve as a serious warning to organisations that cyber security investment is essential to protect their assets, regardless of their size. Cyber security investment is generally viewed as essential to protect an organisation{\textquoteright}s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), we might expect a range of controls to be put in place, from employee training and risk management strategies to network monitoring, up-to-date firewalls and breach mitigation products. The difficult question is therefore: what is the {\textquoteleft}right{\textquoteright} amount to invest to protect a given data-set? How do you know if you{\textquoteright}re investing too much, or too little? Organisational leaders often have little to go on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise. Two academics at the University of Maryland, Laurence Gordon and Martin Loeb, have developed an economic framework to help answer this question. They found that the optimal amount of investment should only be a{\textquoteright} small fraction{\textquoteright} of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of an expected loss). They also found that beyond a certain expected level of loss, extra investment provided increasingly limited additional protection benefits. Their model has become one of the most prominent frameworks within the economics of security investment. ",
author = "Amy Ertan",
year = "2018",
month = mar,
day = "9",
language = "English",
volume = "March 2018 edition",
pages = "50--55",
journal = "Cyber World ",

}

RIS

TY - GEN

T1 - What Should You Pay to Protect Your Data? The Economics of Cyber Security

AU - Ertan, Amy

PY - 2018/3/9

Y1 - 2018/3/9

N2 - A CISO’s primary duty is to protect their organisation’s data. The past year has seen an increase in the frequency of major cyber incidents, including evolving malware, DDoS, social engineering and supply-chain attacks. These events serve as a serious warning to organisations that cyber security investment is essential to protect their assets, regardless of their size. Cyber security investment is generally viewed as essential to protect an organisation’s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), we might expect a range of controls to be put in place, from employee training and risk management strategies to network monitoring, up-to-date firewalls and breach mitigation products. The difficult question is therefore: what is the ‘right’ amount to invest to protect a given data-set? How do you know if you’re investing too much, or too little? Organisational leaders often have little to go on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise. Two academics at the University of Maryland, Laurence Gordon and Martin Loeb, have developed an economic framework to help answer this question. They found that the optimal amount of investment should only be a’ small fraction’ of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of an expected loss). They also found that beyond a certain expected level of loss, extra investment provided increasingly limited additional protection benefits. Their model has become one of the most prominent frameworks within the economics of security investment.

AB - A CISO’s primary duty is to protect their organisation’s data. The past year has seen an increase in the frequency of major cyber incidents, including evolving malware, DDoS, social engineering and supply-chain attacks. These events serve as a serious warning to organisations that cyber security investment is essential to protect their assets, regardless of their size. Cyber security investment is generally viewed as essential to protect an organisation’s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), we might expect a range of controls to be put in place, from employee training and risk management strategies to network monitoring, up-to-date firewalls and breach mitigation products. The difficult question is therefore: what is the ‘right’ amount to invest to protect a given data-set? How do you know if you’re investing too much, or too little? Organisational leaders often have little to go on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise. Two academics at the University of Maryland, Laurence Gordon and Martin Loeb, have developed an economic framework to help answer this question. They found that the optimal amount of investment should only be a’ small fraction’ of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of an expected loss). They also found that beyond a certain expected level of loss, extra investment provided increasingly limited additional protection benefits. Their model has become one of the most prominent frameworks within the economics of security investment.

M3 - Internet publication

VL - March 2018 edition

SP - 50

EP - 55

JO - Cyber World

JF - Cyber World

ER -