EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

A Cost-Benefit Approach to Optimizing Security Precaution Adoption

Noa Barnir, Neil Gandal, Tyler Moore and Vincent Scott

No 20562, CEPR Discussion Papers from Centre for Economic Policy Research

Abstract: Purpose: All U.S defense contractors were required to have fully implemented the 110 security requirements included in NIST Special Publication 800-171 entitled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations†by 1 January 2018 whenever a system owned, or operated by or for, a contractor processes, stores, or transmits controlled unclassified information (CUI). Despite the mandate, adoption has been minimal, mostly because the requirement is so costly and time-consuming that medium and small firms cannot afford to comply. Since the adoption of security precautions is costly and time-consuming, in this paper, we propose a constrained optimization methodology to examine this issue. Design and Methodology: In this paper, we introduce a method to significantly reduce the number of required precautions by soliciting expert opinion as to the perceived benefits and costs of all precautions. We defined the difference between benefits and costs as value. Findings: In the key constrained optimization exercise we conduct, we show that including only the top 50 security precautions (out of the 110 security precautions) led to just a very small decline in value. Originality: This paper makes an important contribution to information security research. To the best of our knowledge, no one has conducted similar analysis on the 110 proposed precautions. Note - Forthcoming, Information and Computer Security 2025

Keywords: Cost benefit analysis; security precautions (search for similar items in EconPapers)
JEL-codes: D6 (search for similar items in EconPapers)
Date: 2025-08
References: Add references at CitEc
Citations:

Downloads: (external link)
https://cepr.org/publications/DP20562 (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:cpr:ceprdp:20562

Ordering information: This working paper can be ordered from
https://cepr.org/publications/DP20562

Access Statistics for this paper

More papers in CEPR Discussion Papers from Centre for Economic Policy Research 33 Great Sutton Street, London EC1V 0DX, UK.
Bibliographic data for series maintained by CEPR ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2026-05-29
Handle: RePEc:cpr:ceprdp:20562