DID YOU KNOW? DTIC has over 3.5 million final reports on DoD funded research, development, test, and evaluation activities available to our registered users. Click HERE
to register or log in.
Economic Analysis of Cyber Security
Final technical rept. Sep 2004-Apr 2006
RESEARCH TRIANGLE INST (RTI) RESEARCH TRIANGLE PARK NC
Pagination or Media Count:
Organizations typically use robust analysis techniques to determine how best to invest scarce resources that will lead to increased revenue and decreased costs. However, few organizations attempt such analysis for their cyber security mechanisms. Key performance and evaluation metrics are not available, so organizations rely on qualitative assessments and even those with well-developed tracking systems do not have the tools to derive the cyber security data for use in quantitative budgeting processes. Using a case study approach, we interviewed organizations in a variety of sectors to understand their investment and implementation strategies, particularly focusing on the factors driving their level of security and the resources they rely on for planning and resource allocation. This report presents our findings and introduces an approach to consider the trade-offs between various investment and implementation strategies and public policy options. In general, we found that most organizations make decisions related to cyber security investments at the IT staff level, but there is a trend toward more management-level e.g., risk management decisions. Further, our analysis indicates that some organizations are more proactive vice reactive than others, and that the proactive organizations are also more reliant on external information resources when making investment decisions.
APPROVED FOR PUBLIC RELEASE