{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:11:01Z","timestamp":1750219861343,"version":"3.41.0"},"reference-count":17,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,2,28]],"date-time":"2023-02-28T00:00:00Z","timestamp":1677542400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Queue"],"published-print":{"date-parts":[[2023,2,28]]},"abstract":"<jats:p>Opportunity cost should not be an afterthought when making security decisions. One way to ease into considering complex alternatives is to consider the null baseline of doing nothing instead of the choice at hand. Opportunity cost can feel abstract, elusive, and imprecise, but it can be understood by everyone, given the right introduction and framing. Using the approach presented here will make it natural and accessible.<\/jats:p>","DOI":"10.1145\/3588041","type":"journal-article","created":{"date-parts":[[2023,4,4]],"date-time":"2023-04-04T16:08:09Z","timestamp":1680624489000},"page":"30-56","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Opportunity Cost and Missed Chances in Optimizing Cybersecurity"],"prefix":"10.1145","volume":"21","author":[{"given":"Kelly","family":"Shortridge","sequence":"first","affiliation":[{"name":"Fastly"}]},{"given":"Josiah","family":"Dykstra","sequence":"additional","affiliation":[{"name":"National Security Agency"}]}],"member":"320","published-online":{"date-parts":[[2023,4,4]]},"reference":[{"doi-asserted-by":"publisher","key":"e_1_2_1_1_1","DOI":"10.1287\/mnsc.1050.0440"},{"key":"e_1_2_1_2_1","volume-title":"United States Digital Service, and Federal Risk and Authorization Management Program","author":"Cybersecurity and Infrastructure Security Agency","year":"2021","unstructured":"Cybersecurity and Infrastructure Security Agency, United States Digital Service, and Federal Risk and Authorization Management Program. 2021. CISA cloud security technical reference architecture; https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/CISA%20Cloud%20Security%20Technical%20Reference%20Architecture_Version%201.pdf."},{"volume-title":"Accelerate: the science of lean software and DevOps: building and scaling high-performing technology organizations","author":"Forsgren N.","unstructured":"Forsgren, N., Humble, J., Kim, G. 2018. Accelerate: the science of lean software and DevOps: building and scaling high-performing technology organizations. IT Revolution Press.","key":"e_1_2_1_3_1"},{"doi-asserted-by":"crossref","unstructured":"Forsgren N. Storey M.-A. Maddila C. Zimmermann T. Houck B. Butler J. 2021. The SPACE of developer productivity: There's more to it than you think. acmqueue 19(1) 20-48; https:\/\/dl.acm.org\/doi\/10.1145\/3454122.3454124.","key":"e_1_2_1_4_1","DOI":"10.1145\/3454122.3454124"},{"volume-title":"Predicting the Unpredictable: The Tumultuous Science of Earthquake Prediction","author":"Hough S.","unstructured":"Hough, S. 2010. Predicting the Unpredictable: The Tumultuous Science of Earthquake Prediction. Princeton, NJ: Princeton University Press.","key":"e_1_2_1_5_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_6_1","DOI":"10.1097\/CCM.0000000000000402"},{"unstructured":"Kahneman D. 2011. Thinking Fast and Slow. Macmillan.","key":"e_1_2_1_7_1"},{"volume-title":"On the possible impact of security technology design on policy adherent user behavior ? Results from a controlled empirical experiment","author":"Kurowski S.","unstructured":"Kurowski, S., F\u00e4hnrich, N., Ro\u00dfnagel, H. 2018. On the possible impact of security technology design on policy adherent user behavior ? Results from a controlled empirical experiment. In SICHERHEIT, ed. H. Langweg, M. Meier, B.C. Witt, D. Reinhardt. Bonn: Gesellschaft f\u00fcr Informatik e.V., 145-158; https:\/\/dl.gi.de\/handle\/20.500.12116\/16276.","key":"e_1_2_1_8_1"},{"doi-asserted-by":"crossref","unstructured":"Lain D. Kostiainen K. Capkun S. 2021. Phishing in organizations: findings from a large-scale and long-term study. arXiv preprint arXiv:2112.07498; https:\/\/arxiv.org\/abs\/2112.07498.","key":"e_1_2_1_9_1","DOI":"10.1109\/SP46214.2022.9833766"},{"key":"e_1_2_1_10_1","first-page":"619","volume-title":"Handbook of Affective Science, ed. R. Davidson, H. Goldsmith, and K. Scherer","author":"Loewenstein G.","year":"2003","unstructured":"Loewenstein, G., Lerner, J. S. 2003. The role of affect in decision-making. In Handbook of Affective Science, ed. R. Davidson, H. Goldsmith, and K. Scherer, 619-64. Oxford: Oxford University Press; https:\/\/projects.iq.harvard.edu\/files\/lernerlab\/files\/loewenstein_lerner_2003.pdf."},{"doi-asserted-by":"publisher","key":"e_1_2_1_11_1","DOI":"10.1037\/0278-7393.24.3.771"},{"unstructured":"Organization for Economic Cooperation and Development. 2003. Externalities & OECD. Glossary of statistical terms; https:\/\/stats.oecd.org\/glossary\/detail.asp?ID=3215.","key":"e_1_2_1_12_1"},{"key":"e_1_2_1_13_1","series-title":"January 25","volume-title":"Despite decades of hacking attacks, companies leave vast amounts of sensitive data unprotected. ProPublica","author":"Podkul C.","unstructured":"Podkul, C. 2022. Despite decades of hacking attacks, companies leave vast amounts of sensitive data unprotected. ProPublica (January 25); https:\/\/www.propublica.org\/article\/identity-theft-surged-during-the-pandemic-heres-where-a-lot-of-the-stolen-data-came-from."},{"key":"e_1_2_1_14_1","series-title":"January 14","volume-title":"Die softwareherkunft (software provenance): an opera in two acts. Why would anyone do that?","author":"Poirier G.","unstructured":"Poirier, G. 2022. Die softwareherkunft (software provenance): an opera in two acts. Why would anyone do that? (January 14); https:\/\/grepory.substack.com\/p\/der-softwareherkunft-software-provenance."},{"volume-title":"Security Chaos Engineering","author":"Rinehart A.","unstructured":"Rinehart, A., Shortridge, K. 2020. Security Chaos Engineering. Sebastopol, CA: O'Reilly Media, Incorporated.","key":"e_1_2_1_15_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_16_1","DOI":"10.1023\/A:1008143526174"},{"doi-asserted-by":"publisher","key":"e_1_2_1_17_1","DOI":"10.1111\/1468-5973.12084"}],"container-title":["Queue"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3588041","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3588041","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:47:24Z","timestamp":1750178844000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3588041"}},"subtitle":["The loss of potential gain from other alternatives when one alternative is chosen"],"short-title":[],"issued":{"date-parts":[[2023,2,28]]},"references-count":17,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,2,28]]}},"alternative-id":["10.1145\/3588041"],"URL":"https:\/\/doi.org\/10.1145\/3588041","relation":{},"ISSN":["1542-7730","1542-7749"],"issn-type":[{"type":"print","value":"1542-7730"},{"type":"electronic","value":"1542-7749"}],"subject":[],"published":{"date-parts":[[2023,2,28]]},"assertion":[{"value":"2023-04-04","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}