A CONCEPTUAL MODEL FOR INFORMATION SECURITY AND ITS IMPLICATIONS FOR INFORMATION INSURANCE

摘要

Over the last few years, information security has been receiving a significant amount of society's attention. However, a fundamental question is still being continually asked: what on earth is information security? In the authors' opinion, although information security has a technological component, it is not a problem that technology can fully solve. This issue is increasingly shifting from what is technically possible to what is economically optimal. In other words, the management of information security is a much deeper and more political problem than is usually realized. Traditional solutions are bound to fail for good technical reasons and good business reasons. A new approach is required. Based on these understandings, this paper presents a conceptual framework and a contingency model for analyzing current initiatives on managing information security. Equally important, the authors propose as well a set of priorities for managerial attention that is contingent upon user's stage of information security activities. Further, the increased vulnerability to substantial economic loss from attacks through information systems is causing many executives to seek additional tools to manage information security risk. One new tool is the use of recently developed information insurance policies (that is, policies that provide coverage against losses from information-related breaches in information system). This paper also proposes some implications for designing information insurance policies in the respects of pricing, adverse selection, and moral hazard.