Enterprise Information Security: Who Should Manage it and How?

In the recent past, Information Security has received a lot of attention in the business and trade press. Much of this can be attributed to an increase in security breaches leading to major losses to the affected enterprises. The CSI/FBI 2005 [4] security survey reports 13 different attack types, ranging from website defacement to financial fraud to Internet worms and viruses. There are several reports in the business press that point to the increasing number of vulnerabilities in commonly used software as well as viruses and other threats that seek to exploit these vulnerabilities, and detail how it is becoming an increasing problem for enterprises. Effective countermeasures sometimes exist for many of these threats, but are often not correctly deployed due to the specific characteristics of the information systems in use, or the capabilities of the IT staff. The economic analysis of information security has many dimensions to it as evidenced by the literature including risk management approaches, insurance, vulnerability analysis, information sharing etc. However, the role of decision making within the enterprise and the related issues of incentives and information asymmetry within a firm has not received much attention in the context of information security. It is our objective to specifically address how a multi-division should make optimal information security deployment decisions in the light of the above factors. Much attention has been focused on detailing the operation of countermeasures (e.g. firewalls that protect against unauthorized traffic) but little attention is focused on who in the enterprise is making decisions regarding deployment of these measures and what policies are in place to deal with such decision-making. When discussing Enterprise security, it is important to understand that enterprises are not homogeneous entities and their divisions often use varied information systems, which are commonly interconnected with each other as well as to the Internet. In addition, some divisions may not value their information assets as highly as others or may not be as capable of expertly deploying security