Main Page

From Meritology

This wiki is a tool to facilitate collaborative research and co-authoring of research papers and other publications. Participation is invitation-only.

Contact: russell.thomas <at this domain name>.

Projects

• Project RED QUEEN -- information security modeled as an evolutionary arms race.

Publications

Open Letter - "R&D Initative for Incentive-based Cyber Trust" (PDF 94KB, 9 pages)

Summary: A letter to the Commission on Cyber Security for the 44th Presidency, Counsel on Strategic and International Studies. It provides recommendations on US Goverment action to jump-start and promote an R&D Initiative for Incentive-based Cyber Trust.

White Paper - "Incentive-based Cyber Trust -- A Call To Action" (PDF 530KB, 27 pages; Executive Summary PDF 57KB, 6 pages, Presentation, PPT 486KB, Conference version MS WORD, 15 pages, accepted for i-Society 2007)

Summary: Many problems in cyber trust exist at least partially because the people and institutions involved are not properly motivated to solve them. The incentives are often perverse, misaligned, or missing. By improving economic, social, and personal incentives, cyber trust can be significantly improved. Incentive-based cyber trust includes usability, risk information systems, risk communications, social knowledge, markets, and incentive instruments, along with enabling technology and a supporting legal/ regulatory/institutional framework. While there is research underway into these problems, it is not happening on sufficient scale, scope, or timeframe necessary to deliver breakthrough commercial solutions soon enough. We propose an initiative to drive breakthroughs for incentive-based cyber trust. An initiative will mobilize more resources (money and people) and create new synergies between existing academic disciplines, institutions, consortia, and interest groups. Most important, it will create a critical mass of the brightest thinkers across the globe, provide platforms for collaboration and innovation, and set bold, motivating goals and targets.

Presentation - "Total Cost of Cyber (In)security" (PPT 546KB; includes speaker notes. Presented at Mini-metricon, San Francisco, Feb. 6, 2007)

Summary: Presents an approach to integrate operational security metrics with business decision-making, especially budget decisions, investment decisions, priority decisions, strategy decisions, and tactical decisions in day-to-day implementation or execution. Drawing an analogy to the Total Quality Management movement, the approach is called "the Total Cost of Security (or Insecurity)". By dividing costs into three categories: "Budgeted", "Self-insured", and "Catastrophic", it shows how operational security metrics can be used in each of these cost estimates. This approach makes the most of existing information, aligns with decision-making processes, and avoids the problem of conflating reliable and unreliable estimates. In addition to helping with security cost and performance management, this approach highlights the importance of organization learning and discovery.

Presentation - "Security Meta Metrics -- Measuring Agility, Learning, and Unintended Consequences" (PPT 383KB; includes speaker notes. Presented at Metricon 2.0, Boston, Aug. 8, 2007)

Summary: This presentation will highlight several meta-metrics that are essential for information security success in modern organizations, yet are often completely missing. Even a few "candles" in this darkness will dramatically improve management of information security and its overall contribution to organization success.

White Paper - "Business Value Analysis: Coping With Unruly Uncertainty" (PDF 296KB -- Originally published in Strategy & Leadership, Vol. 29 #2, March/April 2001 , MCB University Press)

Summary: Traditional return on investment analysis techniques like Discounted Cash Flow (DCF) and Net Present Value (NPV) fall short of providing adequate decision support in today’s turbulent environment. New techniques, grouped under the concept called "Business Value Analysis"; (BVA), show promise. These techniques include Real Options, Intellectual Capital, Business Model Dynamics, and Synthetic Markets. They extend DCF to include intangibles and other factors common to the digital economy. These techniques are just now emerging from research and they are undergoing further development, refinement, and testing on the way to becoming wide spread in practice. It's unlikely any of these techniques will be a “silver bullet” that makes your investments a sure thing, but you can improve your chances of success and business performance.

Working Paper - "Business Value Analysis Framework" (PDF 373KB; also see the single page "Big Picture" diagram)

Summary: Presents an approach to analyze business value across markets (product/service markets, skills markets, financial markets, ideas/power, and legal/regulatory/physical/social environment. Also presents a value chain model of business value, combining the perspectives of process, perception, structure, finances, and knowledge.

Presentation - "Qualitative Models of Complexity" (PDF 1774KB -- Presented at the Wharton Conference on Complexity and Business, April 1999)

Summary: Presents an argument for academic study of Qualitative Complexity within Complexity Science, with research opportunities and applications in business and social sciences. Presents examples of Qualitative Complexity in the case of business transformation in a software company. Discusses research questions, possible approaches, and the framework for a new theory.

Other

• WEIS 2010 presentations -- audio and slides from some presentations