Optimal Information Security Architecture for the Enterprise

43 Pages Posted: 23 Jan 2008

See all articles by Vineet Kumar

Vineet Kumar

Harvard Business School

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Tridas Mukhopadhyay

Carnegie Mellon University - David A. Tepper School of Business

Date Written: January 1, 2008

Abstract

Information security is growing to be an IT priority for many firms, but several critical dimensions of enterprise security like type of loss or strategic effects of countermeasures have received little attention in the economics-based literature. We develop a model of a contagious threat that can attack multiple divisions of a firm's enterprise network and cause both availability and confidentiality losses. Firms commonly deploy countermeasures to mitigate the harmful effects of threats. Such deployment is complicated by the CIO's lack of information on the information systems of the divisions and due to the differing goals of division managers. In this setting, we model the business process and interconnectivity requirements of the enterprise and demonstrate how to optimally design the security architecture, which consists of protection, recovery and cryptographic measures. We evaluate commonly suggested mechanisms like subsidies and liability and find that they are inadequate as well as informationally demanding. To remedy these problems which directly impact practitioners, we derive mechanisms that have no ex-post informational requirements and are easily implementable for both availability and confidentiality losses. Some of our results are counterintuitive, notably that countermeasure can be overdeployed by division managers and that having a single platform for all divisions can decrease unexpected confidentiality losses.

Keywords: Information Security, Availability Losses, Confidentiality Losses, Enterprise Security Architecture

Suggested Citation

Kumar, Vineet and Telang, Rahul and Mukhopadhyay, Tridas, Optimal Information Security Architecture for the Enterprise (January 1, 2008). Available at SSRN: https://ssrn.com/abstract=1086690 or http://dx.doi.org/10.2139/ssrn.1086690

Vineet Kumar (Contact Author)

Harvard Business School ( email )

Soldiers Field Road
Morgan 179
Boston, MA 02163
United States

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

4800 Forbes Ave
Pittsburgh, PA 15213-3890
United States
412-268-1155 (Phone)

Tridas Mukhopadhyay

Carnegie Mellon University - David A. Tepper School of Business ( email )

5000 Forbes Avenue
Pittsburgh, PA 15213-3890
United States
412-268-2307 (Phone)

HOME PAGE: http://web.gsia.cmu.edu/display_faculty.aspx?id=102

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
439
Abstract Views
3,377
Rank
121,332
PlumX Metrics