Using Theories from Economics and Finance for Information Security Risk Management
MetadataShow full item record
Risk management in information security has traditionally been approached from a technical perspective, and a variety of technical controls are deployed to prevent any future information security event. However, recent incidents of data theft, DDoS, etc., at various organizations indicate that even the most sophisticated technical defenses are vulnerable. Furthermore, the negative impact of an information security event on organizations is becoming a business issue, and investors are demanding for better risk mitigation strategies. The increase in levels of adverse impact of information security events is resulting in the need for organizations to pursue the risk management from an economic perspective. The economic benefit of investments in information security risk management is estimated as the value of the reduction in the impact of an uncertain future event (e.g., reduction in the impact of a DDoS attack). Therefore, it is important for the decision makers to be able to predict the uncertain future events and their adverse impact. On the other hand, the information related to information security events (e.g., information related to a vulnerability in a piece of software) often exists in the form of dispersed insights, opinions, and intuitions. An effort to aggregate this dispersed information may make a significant contribution to the risk management. Therefore, devising a mechanism to aggregate the dispersed information for risk management particularly to ’hedge’ the impact of an information security event is crucial. Prediction markets are an emerging form of technology-enabled economic tool to collect human intelligence. Several theoretical, empirical, and experimental studies and industry applications have shown that the prediction markets are one of the most effective mechanisms for collection and aggregation of dispersed information. Prediction markets can make accurate predictions and can be used for various business decisions including for risk management. However, not all prediction markets have the same objective and therefore, they have a different design. Thus, for the success of a prediction market an important question to address is how to design the market? This thesis employs the design science research method to apply the existing theories and models from the domain of risk economics, particularly from the field of prediction markets and financial instruments to manage the information security risks. With the goal of better understanding the prediction markets as a tool for prediction and risk management, this thesis contributes to the field of information security economics and risk management. This thesis investigates the gaps in the existing information security investment models and market methods and proposes a framework to simplify the task of selecting an investment model. This research establishes a conceptual foundation for the study of information security prediction market and investigates the applicability of prediction markets in the management of information security risks. A set of design elements and performance evaluation criteria for the information security prediction market are presented in this thesis. Furthermore, this thesis presents a set of information security financial instruments, demonstrates their application and evaluates their usefulness in mitigating the impact of the underlying information security event. A set of metrics for ex-ante and ex-post assessment of hedge strategy and performance of information security financial instruments are presented in this thesis. This research establishes that the information security financial instruments and prediction markets can be an effective solution, at least to some extent, to the problems in the existing risk market for information security risks.