A RAN D IN FRAST RUCT URE , SAFE T Y, AN D E N VIRON ME N T PROGRAM
Cybersecurity Economic Issues
Corporate Approaches and Challenges to Decisionmaking
RAND RESEARCH AREAS THE ARTS CHILD POLICY CIVIL JUSTICE EDUCATION ENERGY AND ENVIRONMENT HEALTH AND HEALTH CARE INTERNATIONAL AFFAIRS NATIONAL SECURITY POPULATION AND AGING PUBLIC SAFETY SCIENCE AND TECHNOLOGY SUBSTANCE ABUSE TERRORISM AND HOMELAND SECURITY TRANSPORTATION AND INFRASTRUCTURE WORKFORCE AND WORKPLACE
ybersecurity economics is an emerging ﬁeld. There is a signiﬁcant need for better data, better understanding, and better methods for using resources wisely, not only to protect ...view middle of the document...
RAND research briefs present policy-oriented summaries of published, peer-reviewed documents.
1776 Main Street P.O. Box 2138 Santa Monica, California 90407-2138 TEL 310.393.0411 FAX 310.393.4818
© RAND 2008
Companies and organizations can use a wide variety of security practices and policies to describe, implement, and monitor cybersecurity. To understand what inﬂuences security-related investment decisions and how business perspectives aﬀect cybersecurity perceptions, RAND researchers interviewed the chief security oﬃcers of six companies in the Internet supply chain. These leaders revealed vastly diﬀerent attitudes about the role of security in the context of their corporate goals. The analysis suggests that a company’s culture and approach to market discipline can predict corporate attitudes about cybersecurity. To understand these security approaches, the RAND team considered a business framework that could help explain the interview results and also identify which one of three market disciplines companies embrace to compete in the marketplace: operational excellence, product leadership, or customer intimacy.1 This framework has been useful in other softwareengineering contexts in which it has assisted
1 Michael Treacy and Frederik D. Wiersema, The Discipline of Market Leaders: Choose Your Customers, Narrow Your Focus, Dominate Your Market, Reading, Mass.: Addison-Wesley, 1995.
technology adoption within the context of corporate culture. In addition, the authors believe that the framework can be used not only to analyze existing security attitudes but also to predict likely future cybersecurity actions and attitudes. An operationally excellent company strives to provide both high-quality customer service and the lowest prices for its goods and services. It emphasizes eﬃciency and dedication to quality control along with a carefully managed supply chain. Because security is a facet of quality, an operationally excellent company takes security very seriously. By applying standards, controlling processes, and encouraging certiﬁcation, operationally excellent companies consider security to be central to their trusted brand. By contrast, a product leader focuses on features and functionality, prizing innovation as it experiments with new oﬀerings. Whereas opera-
tionally excellent companies take few risks, product leaders encourage new ventures and a steady stream of new products. Although they take security seriously, good-enough security is a guiding principle; innovation—not process—is the key to avoiding or preventing security problems. As a result, security takes a back seat to performance, is less centralized, and is not the key determinant of a product’s success. The third market discipline, customer intimacy, emphasizes customer needs and requests and excels at meeting them. Security is important for customer-intimate companies when customers express security needs. Thus, the...