Information Technology Reference
In-Depth Information
2 Assessing Individual Security Costs
The most effective security solution is that which provides the best level (that which
is optimised) for “the least cost”. Costs to the consumer are minimised at the point
where security costs exactly equal the expected loss that is associated with the risk
function.
More security costs = higher costs to the consumer.
Higher expected loss from risk = higher costs to the consumer.
As expenditure on security is expected to decrease the expected loss, the costs to
the consumer are minimised were the additional expenditure of $1 on security reduces
the expected risk based loss by exactly $1.
Security is a cost function that is passed to the consumer if profitability is to be re-
tained or which reduces profit directly where alternatives exist (this is the product is
elastic or consumers are willing to reduce their use if costs increase). The expected
cost formula for the supply of these types of services against a loss function can be
expressed by:
(
)
= + +
(1)
Where the loss function
D(x,y)
and the damage to
x
(the producer) and
y
(the con-
sumer) are modelled arithmetically. As in all areas of economics, the marginal gains
in D
x
offset those of D
y
.
In these calculations, calculations,
D
xy
D
xy
> D
xx
D
xy
which creates the inference
that the inputs are substitutes. As the producer spends more on security, the consumer
spends less and vice versa. The exact composition of these values varies based on the
nature of the product with elastic supply being affected more than an inelastic supply.
The real issue and goal in security becomes the creation of a Cournot-Nash equilib-
ria [11]. This is an outcome where
X
e
and
Y
e
are together form a Cournot-Nash equi-
libria for a given value of
Y
e
the
x
which maximises
X
's utility is X
e
and given X
e
that
y
which maximises
Y
's utility is Y
e
. This does not require that the equilibria be Pareto
optimal [12].
At present, the cost functions directed towards many industries (such as banks in
regulated countries including Australia) are sufficient in that there is but a trivial in-
crease in marginal demand for the consumer for an incremental increase in security
expenditure. The producing company is likely to do little and that which they do con-
duct has a minimal effect. For instance, Microsoft is unlikely to greatly improve the
security of its operating system through minimising patches due to the increasing cost
of finding additional bugs in its software. If it did so, the cost point is such that Mi-
crosoft's profit would be diminished as consumers are generally unwilling to bear the
cost increment that this would entail. The incremental cost of finding additional bugs
exceeds the total cost to all consumers of taking an alternative course of action such
as installing HIDS (Host Intrusion Detection Software) and Host firewalls.
The loss for the consumer is lessened to a lower extent than the loss of the pro-
ducer. With fraud loss limits of $50 in countries such as Australia for online
s
CDxyxy
,
Search WWH ::
Custom Search