END USER AND ORGANIZATIONAL SECURITY

Users may be individual end users and organizations ranging from small to very large size. Our focus is on the incentives and decisions of organizations outside the IT security industry that need to protect information assets related to their core business.

13.4.1 Information Security Investment in Large Organizations

Rational large organizations would make security investment decisions based on several relevant factors, including the type of risk they are facing, the monetary and non­monetary consequences of failure, the resilience of their operations, and so on. In practice, the available budget is often a key determinant of their security investments (Cavusoglu et al., 2004). The total cost of security includes investment in technology, the hiring of experts, as well as the indirect productivity costs that might be caused by security controls. Although security spending figures tell little about the rationality of expenses they are a useful proxy for the total resources available. Framing security as an investment problem eases communication with upper management and helps set limits as it might make sense not to defend against certain threats.

Gordon and Loeb (2002) first explored optimal security investment conceptually. They proposed a model in which information assets are categorized based on their value, potential loss in case of a breach, and their vulnerability. The authors showed that under varying assumptions firms will be better off concentrating efforts on information assets with mid-range vulnerabilities as extremely valuable information may be ‘inordinately expensive’ to protect. To maximize expected benefits a firm should spend only a small fraction of the expected loss on securing an asset (except in cases when law requires an asset to be protected regardless of value).

A number of scholars have extended this simple and elegant model, for instance by looking at the timing of investment, by proposing different caps for security investment, and by relaxing model assumptions. Ioannidis et al. (2013a) show in a utility-theoretic model that security investment turns out to be cyclical when costly projects are deferred due to uncertainty related to the costs of future vulnerabilities. Bohme and Moore (2009) model the interaction between defenders that face investment decisions under uncertainty and attackers who repeatedly target the weakest link. They empirically vali­date their model and conclude that underinvestment can be reasonable under certain scenarios: when reactive investment is possible, when attacks are not catastrophic, and when uncertainty exists about attacker capabilities. Although difficult, quantify­ing cybersecurity risks and costs is an integral part of the investment models. Brecht and Nowey (2013) focus on establishing the costs of information security. They offer a comprehensive comparison of three alternatives to using surveys for determining such costs. Demetz and Bachlechner (2013) compared approaches using a configuration management tool as an example, and found that there is considerable potential for new approaches to complement existing ones. These selected findings illustrate the difficul­ties of operationalizing and implementing cost-benefit approaches to assessing security investment.

The level of investment aside, what security practices should an organization put into effect? A high-level distinction is between practices that have an observable impact on security and those that are adopted for compliance reasons, due diligence or keeping up with what are considered ‘best practices’. The security benefits of alternative approaches also depend on the goals of an organization, which might include protecting the organization’s intellectual property, finances and customers from attacks. Sometimes security solutions might be focused on other objectives than security, for instance on achieving customer lock-in, as is the case with secu­rity measures in printers designed to ensure that third-party ink cannot be used.

The security incentives of large organizations are, in short, mixed. Tolerating some level of insecurity is economically rational, and as long as the organization accepts the risks and compensates the direct and indirect costs it limits the externalities of its security decisions. An organization can also decide to transfer security risks to a third party via cyber insurance. But this arrangement has not been widely adopted thus far. Other policies are required if incident costs are not borne by the organization and externalities are created. One means is data breach disclosure laws (sometimes referred to as security breach notification laws) intended to mitigate harms to third parties caused by an organization’s underinvestment in security. Organizations are required to notify all affected customers in cases of breaches leading to compromise of personal information. If they fail to do so they become liable for damages and face fines.

13.4.2 Security in the Healthcare Sector

Organizational security has also been studied in the context of particular sectors. The healthcare sector is a good example, illustrating many key aspects of security decisions. It deals with confidential and sensitive patient data and has been subject to sector­specific regulation such as the US Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA). While confidentiality has considerable importance for earning the trust of patients and professionals, it is not the core business of health organizations.

Gaynor et al. (2012) studied around 200 reported data breaches in hospitals from 2006 to 2011 and found that increased competition was associated with a decline in data protection. They suggest that hospitals in competitive markets may be inclined to shift resources to visible activities rather than data protection. Kwon and Johnson (2011) analyzed 2000 healthcare organizations and found that proactive security investments, associated with longer intervals between subsequent breaches, were most effective when voluntarily done. Miller and Tucker (2011) looked at encryption as a tool for increasing data security, in particular in states that provide safe harbors when it is used. They found that data breaches perversely increased after healthcare organizations adopted encryp­tion software, possibly due to a false sense of security and/or a moral hazard problem. The effectiveness of sector regulation might be tied to the specifics of its formulation, as Kwon and Johnson (2013) suggest in a more optimistic study of the effects of the financial incentives created by the HITECH Act. They conclude that mitigating data breaches depends more on security resources and capabilities than regulatory compli­ance and reiterate that policy should provide guidelines to invest in a combination of security resources, capabilities, and cultural values, rather than impose single-solution requirements.

13.4.3 Individuals and Small Organizations

End users that lack dedicated IT staff often rely on a variety of heuristics to make secu­rity decisions. These decisions are prone to mistakes that fraudsters can exploit (Stajano and Wilson, 2011). The sheer number of such users means that even a small vulnerable fraction can cause major security risks for others and in the aggregate.

Psychology and behavioral economics provide explanations for such behaviors. Understanding how end users interpret error messages and make security decisions can be used to design user interfaces that nudge users towards better security choices (Sunshine et al., 2009; Camp, 2013). Bravo-Lillo et al. (2011) provide an enlightening example: novice users perceive ‘saving’ a file as being more dangerous than ‘opening’ it, as it implies persistent changes to the system. Similarly, Wash (2010) discusses ‘folk models’ formed by users about security threats and how they influence online behavior.² Given these difficulties, end users might be willing to pay for extra security services. Just as an example, Wood and Rowe (2011) estimated that customers of US Internet service providers are willing to pay $4 to $7 a month premium for mitigating malware harms. However, this willingness often does not translate into actual purchasing behavior due to information asymmetries and the market for lemons problem.

Users are not always wrong to ignore security advice (Herley, 2009). Typical advice concerning passwords is outdated, almost all certificate error warnings appear to be false positives, and if users spent even a minute a day reading URLs to avoid phishing, the costs would greatly outweigh phishing losses. Florencio and Herley (2010) investigated password policies concluding that websites with the most restrictive policies are insulated from the consequences of poor usability: for example, universities have stricter password rules than Google and Facebook as they won’t lose revenue if users have a hard time logging in. The latter defend against more attacks using other effective authentication controls that maintain convenience (such as the location of access). This example shows an interesting trade-off between different aspects of implementing security protections.

Due to carelessness and limits of human intuition end users can create considerable externalities for the Internet economy. However, they also fuel the Internet economy by shopping online and clicking on ads. Improving end user security at the expense of convenience might result in a negative net gain, an economic trade-off that possibly can be done away with by larger organizations. For example, when online merchants were pushed by Mastercard and VISA to adopt the 3D security anti-fraud measure or accept liability for the fraud losses, some found that the additional checks resulted in higher dropout rates during checkout. These exceeded the cost of accepting liability for the fraud, which led some merchants to opt out of the security program.

13.5