Before I begin, I’d like to thank Dr. Gordon  for an interesting exchange of emails regarding information security economics, specifically enablement and positive return through information security assets.
Security enablement is the next topic with certain parties intensely aligned on the side of not possible, can in certain instances or is possible more frequently than believed.
Sam DeKay and I published a paper entitled, “Virtual Trust: How to Gain and Sustain a Competitive Advantage using Information Security “. We demonstrated through real world cases how information security mechanisms and protocols may be used to create trust and enablement, rather than simply “loss prevention.” We also made an effort to point out that enablement and loss prevention are not incompatible models and both are necessary to understand information security.
I wanted Dr. Gordon’s take on the economics of information security, and specifically whether or not information security can be used as enabling mechanisms. I also wanted to know if this constitutes a positive return, rather than loss prevention.
Please read all correspondence before commenting. Here is our exchange of emails.
There are numerous empirical studies which show that information security breaches can cause significant economic losses for an organization. Thus, it is common to consider information security investments as “cost savings” projects. To the extent such “cost savings” projects are successful in helping an organization avoid some security breaches, they clearly assist in preserving an organization’s revenues (or wealth). Thus, individuals who argue that information security activities help preserve the wealth of an organization are certainly correct.
However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing firms catch-up in terms of security) that results in increased demand for the organization’s physical product(s) and/or service(s). The increased demand for a firm’s product is clearly creating wealth for the firm (i.e., creating business value). The extent to which such wealth can be created will vary from industry to industry. For example, firms that operate in industries that rely heavily on Internet-based sales and/or Internet-based transactions are prime candidates for striving to achieve such “competitive advantage.” Firms that operate in industries that rely heavily on the notion of “trust” are also good candidates for striving to achieve such “competitive advantage.”
In sum, the argument that information security activities will help to preserve an organization’s wealth is certainly true. However, it is also true that information security activities can also help an organization to develop a “competitive advantage” that will result in creating wealth for an organization.
I then asked for clarification:
Thanks for your earlier reply.
Just to clarify a bit:
Can we also say that information security mechanism or the combination thereof (for example, digital certificates, authentication, DRM, etc.) enable businesses to create trust between parties, create new streams of revenue and could therefore be considered business enablers as well as be considered instrumental in creating a positive return? Might we say that, in certain cases, even though information security mechanisms are a necessary but not sufficient condition for revenue generation, these mechanisms can play other roles than simply “loss prevention.”
Thanks for your time.
To which he replied:
Yes, I would agree with all of the points noted in your [above] note. I was attending the annual American Accounting Association meeting (in Chicago) for most of last week. As you know, being away for the better part of a week means you play catch-up for another week. Thus, I gave you a quick answer (close to 1 a.m. in morning) to an important and complicated issue.
Virtual Trust is a defensible position. It also seems to me important to discuss how information security practices may also be viewed as enablers — both technically and economically — instead of only as loss prevention mechanisms.
My hope is that this post opens a dialog for people who are interested in stepping out of their “loss prevention” comfort zone.