Our research approach is to quantify the perception of current cybersecurity-related risks and business opportunities on both sides of a business relationship through a set of interviews. The results will illuminate:
Modeling How Firms Adopt Information Security Capabilities
By looking at the process used by organizations to adopt information security measures, we can begin to both characterize the information security approach of companies, and determine the complete set of possible drivers for information security adoption by organizations. We will interview CIOs, CSOs, and other decision-makers about how their organization makes and implements information security investment decisions, following a framework that we believe to be generic enough to encompass most information security decision processes.
This framework will serve as the basis for discussions with decision-makers and influencers within the organization. There are three parts to this framework, shown in the figure above:
Are larger firms making better security investments (and better patch management decisions) than smaller firms, creating a security gap in the extended enterprise? How are firms managing risk across the extended enterprise? Should large, relatively secure firms be concerned about collaborating with smaller, less secure firms?
To address these issues we are studying the supply chain of the firms interviewed in the first focus above by interviewing some number of the customer's direct suppliers. Choosing firms of different sizes to study, we will be able to determine the relative information security stance of companies of various sizes, and thus whether a gap exists. By studying organizations and their supply chains, we have access to companies of a range of sizes. We are currently testing a metric that we will use to rank an organizations' information security stance. The metric encompasses the inputs to decision-making, the filters for resolving tensions, the level of adoption of security recommendations, and the actual information security measures implemented as measures of an organizational stance regarding information security.
Interdependency Risk Magnitude
If the security of a firm is increasingly dependent on the security at other firms in their extended enterprise, how large is the real or perceived security problem? What are the security risks and how do these translate into business risks? Knowing how vulnerable or resilient supply chains and extended enterprises are to security failures of one of their members will directly inform the policy debate about how much information security is needed for a public good.