Download the full-sized PDF of Decision Making for Information Security InvestmentsDownload the full-sized PDF



Permanent link (DOI):


Export to: EndNote  |  Zotero  |  Mendeley


This file is in the following communities:

Graduate Studies and Research, Faculty of


This file is in the following collections:

Theses and Dissertations

Decision Making for Information Security Investments Open Access


Other title
Elasticity of Demand
Information Security
Continuous Time Markov Chain
Customer Utility
Type of item
Degree grantor
University of Alberta
Author or creator
Yeo, M. Lisa
Supervisor and department
Schultz, Kenneth L. (Business)
Patterson, Raymond A. (Business)
Examining committee member and department
Jacob, Varghese (University of Texas, Dallas, Jindall School of Management)
Sorenson, Paul (Computing Science)
Ingolfsson, Arman (Business)
Kolfal, Bora (Business)
Faculty of Business
Operations and Information Systems
Date accepted
Graduation date
Doctor of Philosophy
Degree level
Enterprises must manage their information risk as part of their larger operational risk management program. Traditionally, IT security investment decisions are made in isolation. However, as firms that compete for customers in an industry are closely interlinked, a macro perspective is needed in analyzing these decisions. Using the notions of direct- and cross-risk elasticity to describe the customer response to adverse IT security events in the firm and competitor, respectively, we analyze optimal security investment decisions. The continuous-time Markov chain (CTMC) is a natural way to examine how the combination of the expected adverse event arrival rate and the expected duration of customer reactions to these adverse events impacts security spending and expected profits, given different types of customer reaction. Expanding this work, customer utility is modelled using a Hotelling setting in order to examine how the introduction of minimum security spending requirements affect total social welfare. Optimal IT security spending, expected firm profits, total social welfare, and the willingness of firms to cooperate on security improvements are highly dependent on the nature of customer response to adverse events. Once firms have made a decision regarding their security investment level, managers must consider how to implement information security controls. The effectiveness of three different control placement methods is examined by defining a flow risk reduction problem and presenting a formal model using a workflow framework. One year of simulated attacks is used to validate the quality of the solutions, finding that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment measures compared to heuristics that would typically be used by managers to solve the problem. By using a workflow approach to control placement, guiding the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. The contribution of this body of work is to provide managers with methods for deciding on the level and selection of information security investments, obtaining significantly better returns on these security investments.
This thesis is made available by the University of Alberta Libraries with permission of the copyright owner solely for the purpose of private, scholarly or scientific research. This thesis, or any portion thereof, may not otherwise be copied or reproduced without the written consent of the copyright owner, except to the extent permitted by Canadian copyright law.
Citation for previous publication

File Details

Date Uploaded
Date Modified
Audit Status
Audits have not yet been run on this file.
File format: pdf (Portable Document Format)
Mime type: application/pdf
File size: 2020992
Last modified: 2016:08:04 16:48:31-06:00
Filename: Yeo_M Lisa_Fall 2012.pdf
Original checksum: 38843f0d52f98c1aba4a9bffd9701031
Well formed: true
Valid: true
Page count: 120
Activity of users you follow
User Activity Date