Skip to main content
Springer Nature Link
Log in

A Closer Look at Information Security Costs

  • Chapter
  • First Online:
The Economics of Information Security and Privacy

Abstract

Economic aspects of information security are of growing interest to researchers and to decision-makers in IT-dependent companies. From a business-perspective, cost-benefit justifications for information security investments are in focus. While previous research has mostly focused on economic models for security investments, or on how to quantify the benefits of information security, this chapter aims to take a closer look at the costs of information security. After providing the reader with basic knowledge and motivation for the topic, we identify and describe the problems and difficulties in quantifying an enterprise’s cost for information security in a comprehensive and comparable way. Of these issues, the lack of a common model of costs of information security is the most prominent one. This chapter also discusses four approaches to categorize and determine the costs of information security in an enterprise. Starting with the classic approach frequently used in surveys, we continue by describing three alternative approaches. To support research on the costs of information security we propose two metrics. We conclude with input for future research, especially for an empirical analysis of the topic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    http://www.gartner.com

  2. 2.

    TCO is a financial approach to help managers or consumers to estimate the overall costs of a product over its whole life cycle. It can also be used to determine the economic value of an investment and contains both acquisition and operation costs.

References

  1. Amoroso, E.: Hearing before the US Senate Commerce, Science, and Transportation Committee. Senate Hearing, pp. 111–143. U.S. Senate Committee on Commerce, Science, and Transportation (2009). http://www.commerce.senate.gov/public/index.cfm?p=Hearings&ContentRecord_id=d59f00d0-0ad9-41cd-bde8-b96babb08b7e&ContentType_id=14f995b9-dfa5-407a-9d35-56cc7152a7ed&Group_id=b06c39af-e033-4cba-9221-de668ca1978a&YearDisplay=2009

  2. Anderson, R.: Why information security is hard â€“ an economic perspective. In: ACSAC’01: Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, pp. 358–365. IEEE Computer Society (2001)

    Google Scholar 

  3. Barthélemy, J.: The hidden costs of IT outsourcing. Sloan Manage. Rev. 42(3), 60–69 (2001)

    Google Scholar 

  4. Berinato, S.: Finally, a Real Return on Security Spending. CIO Magazine (2002). Available Online: http://www.cio.com.au/article/52650/finally_real_return_security_spending/

  5. Capgemini: IT-Trends (2008)

    Google Scholar 

  6. Cavusoglu, H., Mishra, B., Raghunathan, S.: A model for evaluating IT security investments. Commun. ACM 47(7), 87–92 (2004)

    Article  Google Scholar 

  7. Commission, F.T.: Identity theft survey report. http://www.ftc.gov/os/2003/09/synovatereport.pdf (2003)

  8. Commission, F.T.: 2006 identity theft survey report. www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf (2007). Accessed 20 Sep 2012

  9. Faisst, U., Prokein, O., Wegmann, N.: Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Zeitschrift für Betriebswirtschaft 77, 511–538 (2007)

    Article  Google Scholar 

  10. Feigenbaum, A.: Total quality control. Harv. Bus. Rev. 34, 93–101 (1956)

    Google Scholar 

  11. FlorĂŞncio, D., Herley, C.: Sex, lies and cyber-crime surveys. In: Ed: Bruce Schneier (ed.) Economics of Information Security and Privacy III. Springer, New York (2013). http://link.springer.com/book/10.1007/978-1-4614-1981-5zitieren?

  12. Gartner: Distributed computing â€“ chart of accounts. http://www.arsys-europe.net/Propalms/Datasheets/Propalms_WhitePaper_Gartner_TCO_Analyse_for_Distributed_Computer.pdf (2003). Accessed 20 Sep 2012

  13. Gartner: IT budget: information security & risk management spend metrics. http://www.gartner.com/technology/metrics/it-security-risk-spending.jsp (2011). Accessed 20 Sep 2012

  14. Gordon, L., Loeb, M.: The economics of information security investment. ACM Trans. Inf. Sys. Secur. (TISSEC) 5(4), 438–457 (2002)

    Google Scholar 

  15. Gordon, L., Loeb, M.: Managing Cybersecurity Resources: A Cost-Benefit Analysis, 1st edn. McGraw-Hill, New York (2005)

    Google Scholar 

  16. Holthaus, M.: Management der Informationssicherheit in Unternehmen. PhD thesis, Universität Zürich (2000)

    Google Scholar 

  17. Hoo, K.J.S.: How much is enough? A risk management approach to computer security. PhD thesis, Stanford University (2000)

    Google Scholar 

  18. Humpert-Vrielink, F., Vrielink, N.: Ganzheitliches sicherheitskosten-controlling. http://www.kes.info/archiv/online/kostencontrolling.html (2011). Accessed 20 Sep 2012

  19. ISO: ISO/IEC 27001:2005 Information Technology â€“ Security Techniques â€“ Information Security Management Systems â€“ Requirements (2005)

    Google Scholar 

  20. Kendrick, S.: The morphing IT security landscape. https://vishnu.fhcrc.org/security-seminar/IT-Security-Landscape-Morphs.pdf (2010). Accessed 20 Sep 2012

  21. Kovacich, G., Halibozek, E.: Security Metrics Management: How to Manage the Costs of an Assets Protection Program. Butterworth-Heinemann, Oxford (2006)

    Google Scholar 

  22. KĂĽtz, M.: Controlling der Information Security, 19th edn. TĂśV Media â€“ Dieter Burgartz and Ralf Röhrig, chap. 03710. No. 32. Aktualisierung September 2011 in Praxiswissen IT-Sicherheit: Praxishandbuch fĂĽr Aufbau, Zertifizierung und Betrieb (2011)

    Google Scholar 

  23. Langfield-Smith, K., Smith, D.: Managing the IS outsourcing relationship. In: Rivard, S., Aubert, B.A. (eds.) Advances in Managing Information Systems. Information System Outsourcing, chap. 10, pp. 163–188. M.E. Sharpe, Armonk (2008)

  24. Locher, C.: Ein Steuerungsmodell fĂĽr das Management von IV-Sicherheitsrisiken bei Kreditinstituten. In: Ferstl, O.K., Sinz, E.J., Eckert, S., Isselhorst, T. (eds.) Wirtschaftsinformatik, pp. 1207–1225. Physica-Verlag, Heidelberg (2005)

    Google Scholar 

  25. Longstaff, T., Chittister, C., Pethia, R., Haimes, Y.: Are we forgetting the risk of information technology. IEEE Comput. 33(12), 43–51 (2000)

    Article  Google Scholar 

  26. Lubich, H.P.: IT-Sicherheit: Systematik, aktuelle Probleme und Kosten-Nutzen-Betrachtung. HMD, Praxis der Wirtschaftsinformatik 43(248), 6–15 (2006)

    Google Scholar 

  27. Mercuri, R.T.: Analyzing security costs. Commun. ACM 46(6), 15–18 (2003)

    Article  Google Scholar 

  28. New Scientist: Cybercrime toll threatens new financial crisis. http://www.newscientist.com/article/dn16092-cybercrime-toll-threatens-new-financial-crisis.html (2008). Accessed 04 June 2012

  29. NIST â€“ National Institute of Standards and Technology: Risk Management Guide for Information Technology Systems. NIST Special Publication 800–30 (2004)

    Google Scholar 

  30. Nowey, T.: Konzeption eines Systems zur überbetrieblichen Sammlung und Nutzung von quantitativen Daten über Informationssicherheitsvorfälle. PhD thesis, Universität Regensburg (2010)

    Google Scholar 

  31. Penn, J.: The State of Enterprise IT Security: 2008 to 2009 (2009). http://www.forrester.com/The+State+Of+Enterprise+IT+Security+2008+To+2009/fulltext/-/E-RES47857

  32. Pohlmann, N.: Wie wirtschaftlich sind IT-Sicherheitsmaßnahmen. HMD, Praxis der Wirtschaftsinformatik 43(248), 26–34 (2006)

    Google Scholar 

  33. Schaffry, A.: Die IT-Sicherheitsausgaben bis 2015. http://www.cio.de/knowledgecenter/security/2294879/index.html?r=2616952702416512&lid=152021 (2011). Accessed 20 Sep 2012

  34. Schiffauerova, A., Thomson, V.: A review of research on cost of quality models and best practices. Int. J. Qual. Reliab. Manage. 23, 647–669 (2006)

    Article  Google Scholar 

  35. Scholtz, T.: Articulating the business value of information security. Tech. rep., Gartner Inc. (2011)

    Google Scholar 

  36. SSG Inc: Cyber crime â€“ the facts. http://www.ssg-inc.net/cyber_crime/cyber_crime.html (2012). Accessed 20 Sep 2012

  37. Sullivan, T.: The surprisingly small percentage health orgs spend on data security. http://govhealthit.com/news/surprisinlgy-small-percentage-health-orgs-spend-data-security (2011). Accessed 20 Sep 2012

  38. Weigelt, M.: Security could consume 10 percent of IT budget. http://fcw.com/articles/2008/02/07/security-could-consume-10-percent-of-it-budget.aspx (2008). Accessed 20 Sep 2012

Download references

Author information

Authors and Affiliations

  1. University of Regensburg, Regensburg, Germany

    Matthias Brecht

  2. Krones AG, Neutraubling, Germany

    Thomas Nowey

Authors
  1. Matthias Brecht
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Nowey
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matthias Brecht .

Editor information

Editors and Affiliations

  1. Westfälische Wilhelms-Universität Münster, Münster, Germany

    Rainer Böhme

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Brecht, M., Nowey, T. (2013). A Closer Look at Information Security Costs. In: Böhme, R. (eds) The Economics of Information Security and Privacy. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39498-0_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39498-0_1

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39497-3

  • Online ISBN: 978-3-642-39498-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics