Transcript Organizational Risk and the Costs and Benefits of Biometrics

Organizational Risk and
the Costs and Benefits
of Biometrics
Presentation to the European Union
Biometrics Group
May 14, 2004
Virginia Franke Kleist, Ph.D.
College of Business and Economics
West Virginia University
West Virginia, USA
Introduction






Economic drivers for the biometrics industry
Vendor Manufacturing Issues
Vendor Marketing Issues
Customer risk as a potential cost
The costs and benefits of biometrics
The biometrics decision as optimizing the fit
between organizational risk and biometrics
cost
How Can Academics Understand
the Biometrics Industry?







Positive network externalities, tipping point,
increasing returns to scale
Embedded base, large government purchases
Production economics
Open source code issues and standards
development
Information industries and dominant firms, new
technology market behaviors
Transactions cost theory
Substitution goods
Path Dependency to
Technology Dominance
Product A (e.g.,
VHS, QWERTY
keyboard)
Time
Product B (e.g.,
Beta, Dvorak
keyboard)
Biometrics Industry Supply and
Demand
Price
Quantity
Price
As user’s
potential risk of
loss increases,
users will pay
more for
increased
security from
biometric, cost
benefit, and
vulnerability
R2
R1
R3
Do various biometric
devices cost more as
their security detection
cost/benefit profiles
increase? Is there a
relationship? Can two
do a better job than
one?
Quantity
The customer demand for biometrics devices, (Yb) is some function of the following
variables:
Yb =  - ß1 x1 + ß2 x2 - ß3 x3 - ß4 x4 - ß5 x5 - ß6 x6 + ß7 x7 + 
x1 = Price of system;
x2 = Effectiveness of establishing security for buyer: e.g., ease of use, enrollment, stability of technology, resistance to false matching
(single or system), false non-match rate, stability of biometric over time, perceptions of intrusiveness, convenience vs.
deterrence (Nanavati, et al., 2002);
x3 = Price and effectiveness of substitution goods: Pin numbers, security guard, closed system, redundancy, backup procedures,
disaster planning;
x4 = Insurance infrastructure: Is the potential loss from improper intrusion covered by insurance;
x5 = Legal structure: Effectiveness of legal infrastructure for prosecution of intrusion violations (Lessig, 1999);
x6 = Human Trust: The intrinsic level of trust between the parties involved
x6 = Risk of Loss from intrusion
Vendor Supply Side
Manufacturing Issues





How well can we make the device work?
How cheaply can we make the device?
Can we manipulate the market to help reduce
our production costs?
Are we getting more cost effective as we sell
these devices over time?
How much more should we spend on our
product development?
Vendor Supply Side Marketing
Issues







Within market and across market issues
Market share of device type, market share of
vendor
What’s the “buzz” ?
Standards vs. proprietary systems
Number of competitors within niche
Does the government like you?
Can you lose money on your product in the
short run?
Enterprise Level Precursor:
Biometrics within Context of Organizational Risk
(1) Identify areas: potential
security / internal control risk
(2) Identify Potential Threats to
Areas within Organization
(4) Estimate cost of security
Breach/IC to organization
(5) Estimate likelihood
of security breach, need for IC
(7)
Rank the most significant quantitative
risks from most expensive to least
(9) Rank the most significant qualitative
risks faced by the organization
(3) Identify Possible Controls and
Prevention Procedures
(6) Calculate expected value and
likelihood of a quantifiable loss
(8) Out of Box thinking on risk,
or qualitative risk analysis
(10) Quantitative + Qualitative
Ranking
(11) EVALUATE APPLICABILITY OF
BIOMETRICS AS A SOLUTION
WITHIN CONTEXT OF ORGANIZATIONAL RISK AND
FIT TO SECURITY AND CONTROL ARCHITECTURE
A Pictorial Representation of the
Business Case Process:
(1) Document the business problem or opportunity
(2) Precursor decisions – Document that
biometrics would be considered an acceptable
solution provided that biometric technologies
resolve the business problem
(3) Frame the business problem in terms of
biometrics:
Verification or identification
Physical versus logical access
Large versus small number of users
(4) Document the strengths and weaknesses of the
various biometrics technologies (solo and/or multimodal) as a solution to the business process
(5) Document the strengths and weaknesses
of the baseline solution and various
substitute goods as a solution to the
business process
(6) Determine performance expectations
for any solution and evaluate whether
biometrics, baseline and substitute goods
solutions meet those expectations
(7) Document benefits
Quantifiable
Soft / Non-Quantifiable
(8) Document costs
Quantifiable
Soft / Non-Quantifiable
(9) Perform Sensitivity Testing
(10) Make decision / Implement pilot test /
Modify / Full-implementation
Organizational Risk and the Costs
and Benefits of Biometrics




Biometric benefit is to reduce risk
Organizational risk can be security or control,
internal or external
The level of risk alters the cost benefit
analysis- more risk, more benefit from a
biometric
There may be a fit between the nature of the
risk and the optimal biometric solution
Organizational Risk and the Costs
and Benefits of Biometrics





Evaluating risk to buyers: what kind of risk?
Evaluation solutions chosen by buyers: what
biometrics chosen and why, what substitutes chosen
and why
Evaluating biometric in terms of nature of solution
Evaluating fusion of biometrics as a solution to risk
Evaluating biometrics fused with non-biometric
substitute good as a solution to risk
Contact




Thank you for your interest
Best wishes on implementation
Virginia Kleist: 304-293-7939,
[email protected]
Please contact me regarding issues of
organizational risk and biometric fit