Communications - April 2008

Popular risk metrics (such as expected loss from a
breach and the standard deviation of a loss from a breach) capture
only narrow aspects of risk.

weights are decision-maker dependent, so the rankings based on the PCR are likely to vary from person to person. With the values of A, B, and C given by 0.4, 0.4, and 0.2, respectively, Proposal 1 is preferred to Proposal 2, which in turn is preferred to Proposal 3, which is preferred to Proposal 4. It is interesting to note that Proposal 1 has the smallest value of the PCR, even though it did not dominate any individual metric. However, if the decision maker’s weights were A = 0.1, B = 0.2, and C = 0.7, then based on the PCR, Proposal 4 is preferred to Proposal 2, which is preferred to Proposal 1, which is preferred to Proposal 3. ⁴

The approach of using the expected loss due to a breach as the ranking criterion gives the CISO a narrow analysis of the alternatives and may lead to misleading results. Examining these other risk measures helps determine the best proposal for implementation. Although we formed the PCR as a linear combination of expected loss, expected severe loss, and standard deviation of loss, the method of forming a single PCR type of metric from a set of criteria is a general methodology. The decision maker can use any set of criteria to form a PCR type of metric and the AHP to determine the weighting factors. In that way, no matter what aspects of risk a decision maker wishes to consider, a PCR type of metric can serve as a powerful decision-making tool.

CONCLUSION

Anyone responsible for information security must be able to manage risk. However, the initial step in such management—defining risk—is far from easy. Popular risk metrics (such as expected loss from a breach and the standard deviation of a loss from a breach) capture only narrow aspects of risk. Here, we’ve introduced a new metric—the PCR—to evaluate investment proposals for enhanced information security and recommended using AHP to determine the weights in the PCR. The PCR gives the user powerful new tools for analyzing proposals for enhancing an organization’s information security

4

In this case, PCR(Proposal 4)=$21.227 million, PCR(Proposal 2)=$22.330 million, PCR(Proposal 1)=$28.006 million, and PCR(Proposal 3)=$39.548 million.

68 April 2008/Vol. 51, No. 4 COMMUNICA TIONS OF THE ACM

system. This analysis complements [ 1], which detailed how to spend an information-security budget, taking into account both financial and nonfinancial aspects of proposed information security projects. ^c

REFERENCES

1. Bodin, L., Gordon, L., and Loeb, M. Evaluating information security investments using the analytic hierarchy. Commun. ACM 48, 2 (Feb. 2005), 461–485.

2. Gordon, L. and Loeb, M. Budgeting process for information security expenditures: Empirical evidence. Commun. ACM 49, 1 (Jan. 2006), 121–125.

3. Gordon, L. and Loeb, M. Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, New York, 2006.

4. Gordon, L., Loeb, M., and Lucyshyn, W. Sharing information on computer systems: An economic analysis. Journal of Accounting and Public Policy 22, 6 (Nov.-Dec. 2003), 461–485.

5. Gordon, L., Loeb, M., and Sohail, T. A framework for using insurance for cyber risk management. Commun. ACM 46, 3 (Mar. 2003), 81– 85.

6. Gordon, L. and Loeb, M. The economics of investment in information security. ACM Transactions on Information and System Security 5, 4 (Nov. 2002), 438–457.

7. Gordon, L. and Loeb, M. A framework for using information security as a response to competitor analysis systems. Commun. ACM 44, 9 (Sept. 2001), 70– 75.

8. Saaty, T. The Analytic Hierarchy Process. McGraw-Hill, New York, 1980.

LAWRENCE D. BODIN ( lbodin@rhsmith.umd.edu) is Professor Emeritus in the Robert H. Smith School of Business at the University of Maryland, College Park, MD. LAWRENCE A. GORDON ( lgordon@rhsmith.umd.edu) is the Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance in the Robert H. Smith School of Business at the University of Maryland, College Park, where he is also an affiliate professor in the University of Maryland Institute for Advanced Computer Studies. MARTIN P. LOEB ( mloeb@rhsmith.umd.edu) is a professor of accounting and information assurance and a Deloitte & Touche faculty fellow in the Robert H. Smith School of Business at the University of Maryland, College Park, where he is also an affiliate professor in the University of Maryland Institute for Advanced Computer Studies.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

CI
CII
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
CIII
CIV

one page

share

print

SlideShow

fullscreen

Open Article

article text for page

< previous story | next story >

add comment | read comments

Share this page with a friend
Save to “My Stuff”
Subscribe to this magazine
Search
Help