| Abstrakt: |
This article focuses on the economics of information security investments. Return on investment, an output-input metric, can only be applied imperfectly to computer security because of the need to define the return. Furthermore, return on investment does not take into account the time value of money. So rather than the traditional accounting notion of return on investment, economics prefer to talk in terms of net present value or internal rate of return, the latter being a time-adjusted notion of rate of return. There is nothing hypothetical about the applicability of these metrics to security budgeting. A growing number of security managers are using net present value as a metric to quantify the benefits of their expenditures. The fundamental insight of net present value is double-edged. The later the cost saving from avoiding cybercrimes, the less it is worth. At the same time, the sooner the investment in cybersecurity, the more it costs. One area wherein economics has direct relevance for information security is information sharing. Without appropriate economic incentives, the free-rider problem usually keeps organizations from reaping the value of information sharing in an information-security setting. |
