Information Systems Research Vol. 16, No. 1, March 2005, pp. 28–46 issn 1047-7047  eissn 1526-5536  05  1601  0028 inf orms ® doi 10.1287/isre.1050.0041 ©2005 INFORMS The Value of Intrusion Detection Systems in Information Technology Security Architecture Huseyin Cavusoglu A. B. Freeman School of Business, Tulane University, 7 McAlister Drive, Goldring/Woldenberg Hall, New Orleans, Louisiana 70118, huseyin@tulane.edu Birendra Mishra School of Management, University of Texas at Dallas, Richardson, Texas 75083, and Anderson Graduate School of Management, University of California, Riverside, Riverside, California 92521, barry.mishra@ucr.edu Srinivasan Raghunathan School of Management, University of Texas at Dallas, Richardson, Texas 75083, sraghu@utdallas.edu T he increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firm’s IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hacker’s benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment. Key words : economics of IT security; intrusion detection systems (IDSs); ROC curves; security configuration; IT security management History : Tridas Mukhopadhyay, Senior Editor; M. S. Krishnan, Associate Editor. This paper was received on December 5, 2001, and was with the authors 5 months for 2 revisions. 1. Introduction Dramatic increases in the number of IT security bre- aches and resulting monetary losses in recent years have made IT security a top issue in the manage- ment of IT infrastructure, 1 which is also reflected in 1 The number of computer intrusion cases filed with the Depart- ment of Justice jumped from 547 in 1998 to 1,154 in 1999 (Goodman and Brenner 2002). The losses from computer crime incidents reported by the Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) surveys were $456 million in 2002, in contrast to $378 million in 2000 and $266 million in 1999 (Power 2002). A global survey conducted by InformationWeek and Pricewaterhouse Coopers LLP estimated that computer viruses and hacking took a $1.6 trillion toll on the worldwide economy and a $266 billion toll in the United States alone (Denning 2000). the increasing security budgets of firms (Hulme 2002). Businesses and governments have undertaken sev- eral measures to minimize the loss from security breaches. IT security–related laws, popularly known as cyber laws, enacted by governments, act as broad deterrents against IT-related crimes. These external control mechanisms supplement a firm’s internal con- trol mechanisms. Traditionally, internal controls fall into two major categories: preventive and detective. In the IT security context, preventive controls, such as firewalls, aim to develop a defensive shield around IT systems to secure them from intrusions. Detec- tive controls, such as IDSs, try to detect intrusions that have already occurred. Because complete pre- 28