Modelling and analysis of corporate efficiency and productivity loss associated with enterprise information security technologies

Abstract

By providing effective access control mechanisms, enterprise information security technologies have been proven successful in protecting the sensitive information in business organizations. However, such security mechanisms typically reduce the work productivity of the staff, by making them spend time working on non-project related tasks. Therefore, organizations have to invest a signification amount of capital in the information security technologies, and then to continue incurring additional costs. In this study, we investigate the non-productive time (NPT) in an organization, resulting from the implementation of information security technologies. An approximate analytical solution is discussed first, and the loss of staff member productivity is quantified using non-productive time. Stochastic Petri nets are then used to provide simulation results. Moreover, sensitivity analysis is applied to develop a cost-effective strategy for mitigating the negative impact of implementing information security technologies. The presented study can help information security managers to make investment decisions, and to take actions toward reducing the cost of information security technologies, so that a balance is kept between information security expense, resource drain and effectiveness of security technologies.