Understanding the value of countermeasure portfolios in information systems security

Article

Kumar, Ram L.; Park, Sungjune; Subramaniam, Chandrasekar

University of North Carolina; University of North Carolina Charlotte; University of North Carolina; University of North Carolina Charlotte

JOURNAL OF MANAGEMENT INFORMATION SYSTEMS

0742-1222

10.2753/MIS0742-1222250210

2008

241-279

Organizations are faced with a variety of information security threats and implement several information system security countermeasures (ISSCs) to mitigate possible damage due to security attacks. These security countermeasures vary in their ability to deal with different types of security attacks and, hence, are implemented as a portfolio of ISSCs. A key challenge for organizations is to understand the economic consequences of security attacks relative to the ISSC portfolio implemented. This paper combines the risk analysis and disaster recovery perspectives to build an integrated simulation model of ISSC portfolio value. The model incorporates the characteristics of an ISSC portfolio relative to the threat and business environments and includes the type of attack, frequency of attacks, possible damage, and the extent and time of recovery from damage. The simulation experiments provide interesting insights into the interactions between ISSC portfolio components and characteristics of business and threat environments in determining portfolio value.