In every economic undertaking, one has to consider the security perils associated with his undertaking before realizing the expected utility. Since information is a vital component that determines success of any economic activity, systems keeping, managing and disseminating such information have to be safeguarded in order to protect the information. During this process, several factors are considered:
The severity of the risk; the magnitude of the risks involved in managing and conserving the information determines the trade-off between taking cautious measures and ignoring. The cost incurred after cybercrime hacking, or phishing has taken place in a banking system is high compared to the cost involved in securing sophisticated software’s and expertise to prevent such risks (Anderson & Schneier, 2005). Microsoft Inc. decided to prevent its product using a firewall to avoid such risks. It also explains why someone may prefer certain routes at night (although long) to avoid kidnappings and hijacks. This behavior is common in the United Kingdom.
The probability of the risk; this has to do with emotional and psychological attachments to the risks involved. Before the September 11th, 2001, the citizens of the United States were not afraid of terrorism. For this reason, any citizens of America would prefer to protect any vital information or aspect that determines his economic activity. The idea that the liability of the risk rests on the interested party of any undertaking makes entrepreneurs fall prey of incurring high losses. For instance, medical records are kept and managed by insurance companies and hospital directors; their only interest is vested in the accounts and research and not on the patient’s interests. As a result, the patient usually has no confidence in such parties as he thinks that it may be more risky to lose or distort his health records.
The magnitude of the costs; in his article, Bruce Schneier argues that the American Government should not consider installing a national ID security system at a cost of $23billion. He goes on stating that there is a trade-off between security and the cost involved. Following this ideology, a balance should exist between the two. In his works, he cites evidence that despite tight security measures, criminal always forged identity cards but with fake names (Schneier, 2008). The information in the homeland security database could not trace such names having been previously involved in crime. Economical, if the expected utility derived from taking security measures to protect one’s vital information is lower compared to the cost involved, then it is rather ignored.
How effective the countermeasure is at mitigating the risk; the effectiveness to alleviate the occurrence of a risk involved in managing and protecting information. The procedure involved in preventing the risk also determines the trade-off between protecting and “throwing caution to the air”. An excellent example is given when analyzing economics of vulnerability; working on a windows operating system platform may be vulnerable to cybercrime attacks as compared to running on a UNIX operating system. The rationale behind it is that the removal of a “bug” from the Microsoft windows operating system exposes it to attacks. In this case, one may prefer running on UNIX operating systems than Microsoft windows operating system. Notably, vulnerability disclosures may improve the security of information kept in a system running on a given operating system (Gordon & Richardson, 2004).
These economic considerations are not serving their purpose fully due to emotional and psychological interference about mitigation of the risks. For instance, how well a risk may be compared to cost depends on the conventional wisdom about that risk. For instance, people may downplay common risks at the expense to spectacular, rare risks. In such cases, it depends on one’s perception about the risk. Based on the same reason, a banking institution may mitigate the occurrence of risk in departments like accounting and finance at the expense of other departments like the human resource. Although it is meant to reduce the cost of operations, it is deemed risky; information may be at the risk of attack from any system in any department. Therefore, it is wise to accept a costly mitigation procedure that ensures safety of vital information and other factors of production.
Additionally, the probability of the occurrence of the risk has a mathematical aspect. Although this is so, it heavily depends on other biases and heuristic aspects about the risk. Certain companies may think that they are may limit costs by installing less costly and vulnerable systems of information management. On the realization that their competitor, who used the same systems, has suffered a risk of losing their information through white-collar crimes due to running on systems of information management, they opt to avoid some online transaction (Schneier, 2008). This “optimism bias” should not be allowed in an effort tailored to protect vital information of a given firm. Similarly, easily remembered data may be given priority over hard-to-remember data, when it comes to protection against distortion (West, 2008). Such incidences may lead to a bad evaluation of a risk and thus expose the company’s information to distortion.
These economic measures help in assessing the magnitude of the risk involved in mitigating the whole process of data management. In a perfect market competitive market structure, the consumer is assumed to have perfect information about the market. It is, therefore, vital for any market operator to protect his information based on the above determinants. Again, heavy losses may be avoided in a situation where the cost involved in managing the information is high, for instance, an additional $23billion on the American budget to improve National ID systems could not have been avoided were it, not for these economic measures (Schneier, 2008). Apart from that, the participants have a variety of options in any production process facilitated by economic measures used to evaluate security issues related to data management.
In a bid to come up with an economic mechanism tailored to improve information security, all economic relationship with external entities should be made to behave in a manner whereby everyone has the self-interest in that economic undertaking. According to the economist, the mechanism-design theory should have a major objective of minimizing the cost of “asymmetric information”. A good example to explain this theory is dealing with a person who has more information about a given production process compared to the owner. Such cases are only built on trust, whereby everyone behaves in a honest way. Although it is easy to reach such equilibrium, Information security and management becomes easy when all parties share the private and vital information at their disposal. Going by Myerson’s principle of revelation in the economist, some aspects of mathematics should be used in an effort to get truthful, private information from persons. The game theory and the implementation theory should be brought on board especially when undertaking economic processes that involve risks.
Anderson R. and Schneier B., (2005). Economics of Information Security. IEEE Security and Privacy 3 (1), pp. 12-13.
Gordon, L. A., & Richardson, R. (2004). The New Economics of Information Security. Optimize. Trident library, p83-867
West, Ryan (2008). The Psychology of Security. Communications of the ACM. Vol. 51 Issue 4. pp34-40.
Economic Focus; Intelligent design. (2007, October 18). The Economist.
Schneier, B.(2008). The Psychology of Security. Retrieved on 31st August from: http://www.schneier.com/essay-155.html.
Schneier, B. Security at What Cost? National ID System Is Not Worth The $23 Billion Price Tag. Retrieved on 31st August from: http://www.schneier.com/essay-207.html.