The economics of information technology security

Explosive growth in networking technologies including the Internet and growth of E-commerce has changed the business landscape irreversibly. Today firms are dependent on IT systems like never before. However increased dependence on IT systems along with increased interconnections among them has also led to increased risk of IT security breaches. Realizing the rise in IT security risk, firms started to invest in security technologies heavily without considering the return on security investments (ROSI). However achieving a high level of security is not cheap. Firms have to weigh the need for IT security against its cost for effective deployment of IT security management. Real challenge is determining how much to spend and where to spend. This requires assessments of the value of security technologies. My dissertation addresses this issue by quantifying and analyzing the economic value of IT security to help decision makers in IT security domain.; The first essay in my dissertation focuses on estimating the cost of IT security breaches using the event study methodology. The aim of this study is to calculate the cost of IT security breaches indirectly through reactions in capital markets. I also identify the factors that affect the extent of investors' reactions. In addition, I analyze if security breaches have any spill over effect on security developers.; Inadequacy of preventive control mechanisms to fully avoid security breaches has forced security management to consider detective controls. The second essay in my dissertation analyzes the value of Intrusion detection system (IDS)—most widely used detective control—within an IT security architecture. Specifically I quantify the magnitude as well as the drivers of IDS benefits from a strategic perspective using a game theoretic model. Based on my analysis I provide valuable insights to firms that consider employing an IDS and firms that develop IDSs.; The third essay in my dissertation extends the model in second essay to encompass a comprehensive IT security architecture that consists of a firewall, an IDS (technical controls) and manual monitoring (operational control). I analyze the value of individual security technologies and interaction effect between these technologies when they are implemented together. Finally I offer some guidelines on how to set up an effective security based on the IT security risk environment and quality characteristics of security technologies.