Network externalities, layered protection and IT security risk management

Wei T. Yue; Metin Çakanyildirim; Young U. Ryu; Dengpan Liu

doi:10.1016/j.dss.2006.08.009

Network externalities, layered protection and IT security risk management

Wei T. Yue, Metin Çakanyildirim, Young U. Ryu, Dengpan Liu

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

43 Citations (Scopus)

Abstract

This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur. © 2006 Elsevier B.V. All rights reserved.

Original language	English
Pages (from-to)	1-16
Journal	Decision Support Systems
Volume	44
Issue number	1
DOIs	https://doi.org/10.1016/j.dss.2006.08.009
Publication status	Published - Nov 2007
Externally published	Yes

Research Keywords

IT risk analysis
IT risk management
IT risk mitigation
Security investments
Security resource planning

Access Output

10.1016/j.dss.2006.08.009

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{158feff39c0b4b20b0a03328cfda230d,

title = "Network externalities, layered protection and IT security risk management",

abstract = "This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur. {\textcopyright} 2006 Elsevier B.V. All rights reserved.",

keywords = "IT risk analysis, IT risk management, IT risk mitigation, Security investments, Security resource planning",

author = "Yue, {Wei T.} and Metin {\c C}akanyildirim and Ryu, {Young U.} and Dengpan Liu",

year = "2007",

month = nov,

doi = "10.1016/j.dss.2006.08.009",

language = "English",

volume = "44",

pages = "1--16",

journal = "Decision Support Systems",

issn = "0167-9236",

publisher = "Elsevier B.V.",

number = "1",

}

TY - JOUR

T1 - Network externalities, layered protection and IT security risk management

AU - Yue, Wei T.

AU - Çakanyildirim, Metin

AU - Ryu, Young U.

AU - Liu, Dengpan

PY - 2007/11

Y1 - 2007/11

N2 - This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur. © 2006 Elsevier B.V. All rights reserved.

AB - This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur. © 2006 Elsevier B.V. All rights reserved.

KW - IT risk analysis

KW - IT risk management

KW - IT risk mitigation

KW - Security investments

KW - Security resource planning

UR - http://www.scopus.com/inward/record.url?scp=34548477450&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-34548477450&origin=recordpage

U2 - 10.1016/j.dss.2006.08.009

DO - 10.1016/j.dss.2006.08.009

M3 - RGC 21 - Publication in refereed journal

SN - 0167-9236

VL - 44

SP - 1

EP - 16

JO - Decision Support Systems

JF - Decision Support Systems

IS - 1

ER -

Network externalities, layered protection and IT security risk management

Abstract

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this