New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”

by Russell on March 17, 2013

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a specific way, by posing this question to all affected stakeholders:

Ex ante, how much would you be willing to spend on response and recovery for a breach of a particular type?  Through what specific activities and processes?”

We hope this approach can bridge theoretical and empirical research, and also professional practice.  We also hope that this method can be used in public disclosures.

Paper: How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

Infographic from the example in the paper

Infographic from the example in the paper

In the next few months we will be applying this to half a dozen historical breach episodes to see how it works out.  This model will also probably find its way into my dissertation as “substrate”.  The dissertation focus is on social learning and institutional innovation.

Comments and feedback are most welcome.

3 comments

[...] the The New School of Information Security blog, I’ve discovered this paper (“How Bad is it? – A Branching Activity Model to [...]

by » How bad is it? Measuring security breach impact ibium.net on March 18, 2013 at 7:03 pm. Reply #

[...] Impact Estimation’,” The New School of Information Security, 17-Mar-2013. [Online]. Available: http://newschoolsecurity.com/2013/03/new-paper-how-bad-is-it-a-branching-activity-model-for-breach-i…. [Accessed: [...]

by SCHAUBA SEC » The Week That Was – 2013-03-19 on March 20, 2013 at 2:20 am. Reply #

Leave your comment

Not published.

If you have one.