nach oben

Erschienen in:

2013 | OriginalPaper | Buchkapitel

2. To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool

verfasst von : Lukas Demetz, Daniel Bachlechner

Erschienen in: The Economics of Information Security and Privacy

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The threat of information security (IS) breaches is omnipresent. Large organizations such as Sony or Lockheed Martin were recently attacked and lost confidential customer information. Besides targeted attacks, virus and malware infections, lost or stolen laptops and mobile devices, or the abuse of the organizational IT through employees, to name but a few, also put the security of assets in jeopardy. To defend against IS threats, organizations invest in IS countermeasures preventing, or, at least, reducing the probability and the impact of IS breaches. As IS budgets are constrained and the number of assets to be protected is large, IS investments need to be deliberately evaluated. Several approaches for the evaluation of IS investments are presented in the literature. In this chapter, we identify, compare, and evaluate such approaches using the example of a policy and security configuration management tool. Such a tool is expected to reduce the costs of organizational policy and security configuration management and to increase the trustworthiness of organizations. It was found that none of the analyzed approaches can be used without reservation for the assessment of the economic viability of the policy and security configuration management tool used as an example. We see, however, considerable potential for new approaches combining different elements of existing approaches.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel A Closer Look at Information Security Costs

Nächstes Kapitel Ad-Blocking Games: Monetizing Online Content Under the Threat of Ad Avoidance

Al-Humaigani, M., Dunn, D.B.: A model of return on investment for information systems security. In: Proceedings of the 46th IEEE International Midwest Symposium on Circuits & Systems, Cairo, vols. 1–3, pp. 483–485 (2003)

Anderson, R., Schneier, B.: Guest editors’ introduction: economics of information security. IEEE Secur. Priv. 3(1), 12–13 (2005)CrossRef

Bagchi, K., Udo, G.: An analysis of the growth of computer and Internet security breaches. Commun. Assoc. Inf. Syst. 12, 684–700 (2003)

Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating information security investments using the analytic hierarchy process. Commun. ACM 48(2), 78–83 (2005)CrossRef

Böhme, R.: Security metrics and security investment models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) Security Metrics and Security Investment Models. Lecture Notes in Computer Science, vol. 6434, pp. 10–24. Springer, Berlin/Heidelberg (2010)

Böhme, R., Moore, T.: The iterated weakest link – a model of adaptive security investment. In: Proceedings of the 8th Workshop on the Economics of Information Security (WEIS), London (2009)

Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering, Orlando, pp. 232–240. ACM (2002)

Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT security management: four improvements to current security practices. Commun. AIS 14, 65–75 (2004)

Cavusoglu, H., Mishra, B., Raghunathan, S.: A model for evaluating IT security investments. Commun. ACM 47(7), 87–92 (2004)CrossRef

10.

Cavusoglu, H., Mishra, B., Raghunathan, S.: The value of intrusion detection systems in information technology security architecture. Inf. Syst. Res. 16(1), 28–46 (2005)CrossRef

11.

Computerworld: Honda Canada breach exposed data on 280,000 individuals. Website: http://www.computerworld.com/s/article/9217094/Update_Honda_Canada_breach_exposed_data_on_280_000_individuals (2011). Last access 1 Feb 2012

12.

Computerworld: RSA warns SecurID customers after company is hacked. Website: http://www.computerworld.com/s/article/9214757/RSA_warns_SecurID_customers_after_company_is_hacked (2011). Last access 1 Feb 2012

13.

Cremonini, M., Martini, P.: Evaluating information security investments from attackers perspective: the Return-On-Attack (ROA). In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge (2005)

14.

CSI Computer Survey: 14th Annual CSI Computer Crime and Security Survey, San Francisco (2009)

15.

Deloitte: Raising the bar: 2011 TMT Global security study – key findings. http://www.deloitte.com/assets/Dcom-Global/Local%20Assets/Documents/TMT/dttl_TMT%202011%20Global%20Security%20Survey_High%20res_191111.pdf (2011)

16.

Franqueira, V., Houmb, S., Daneva, M.: Using real option thinking to improve decision making in security investment. In: Meersman, R., Dillon, T., Herrero, P. (eds.) On the Move to Meaningful Internet Systems. Lecture Notes in Computer Science, vol. 6426, pp. 619–638. Springer, Berlin/Heidelberg (2010)

17.

Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRef

18.

Gordon, L.A., Loeb, M.P.: Budgeting process for information security expenditures. Commun. ACM 49(1), 121–125 (2006)CrossRef

19.

Gordon, L.A., Loeb, M.P.: Economic aspects of information security: an emerging field of research. Inf. Syst. Front. 8(5), 335–337 (2006)CrossRef

20.

Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Information security expenditures and real options: a wait-and-see approach. Comput. Secur. J. 19(2), 1–7 (2003)

21.

Guardian, T.: Sony suffers second data breach with theft of 25 m more user details. Website: http://www.guardian.co.uk/technology/blog/2011/may/03/sony-data-breach-online-entertainment (2011). Last access 1 Feb 2012

22.

Herath, H.S.B., Herath, T.C.: Investments in information security: a real options perspective with Bayesian postaudit. J. Manage. Inf. Syst. 25(3), 337–375 (2008)CrossRef

23.

Huang, C.D., Hu, Q., Behara, R.S.: An economic analysis of the optimal information security investment in the case of a risk-averse firm. Int. J. Prod. Econ. 114(2), 793–804 (2008)CrossRef

24.

Kaplan, R.S., Norton, D.P.: The balanced scorecard–measures that drive performance. Harv. Bus. Rev. 70(1), 71–79 (1992)

25.

Kark, K., Orlowv, L.M., Bright, S.: Forrester Research: The change and configuration management software market (2007)

26.

Liginlal, D., Sim, I., Khansa, L.: How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 28(3–4), 215–228 (2009)

27.

Liu, W., Tanaka, H., Matsuura, K.: Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Inf. Media Technol. 3(2), 464–478 (2008)

28.

Matsuura, K.: Productivity space of information security in an extension of the Gordon-Loeb’s investment model. In: Proceedings of the 7th Workshop on the Economics of Information Security (WEIS), Hanover (2008)

29.

Mizzi, A.: Return on information security investment: the viability of an anti-spam solution in a wireless environment. Int. J. Netw. Secur. 10(1), 18–24 (2010)

30.

Oehrlich, E., Lambert, N.: Forrester Research: How to manage your information security policy framework (2006). http://www.forrester.com/The+Change+And+Configuration+Management+Software+Market/fulltext/-/E-RES42580

31.

Sadiq, S., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance: business process management. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) Business Process Management. Lecture Notes in Computer Science, vol. 4714, pp. 149–164. Springer, Berlin/Heidelberg (2007)

32.

Schneier, B.: Security ROI. Website: http://www.schneier.com/blog/archives/2008/09/security_roi_1.html (2008). Last access 1 Feb 2012

33.

Shirey, R.: Internet security glossary – RFC 2828. Tech. rep., The Internet Engineering Task Force – Network Working Group. http://www.ietf.org/rfc/rfc2828.txt (2000)

34.

Sklavos, N., Souras, P.: Economic models and approaches in information security for computer networks. Int. J. Netw. Secur. 2(1), 14–20 (2006)

35.

Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI) – a practical quantitative modell. J. Res. Pract. Inf. Technol. 38(1), 55–66 (2006)

36.

Su, X.: An overview of economic approaches to information security management. Tech. rep., Centre for Telematics and Information Technology, University of Twente (2006)

37.

Tallau, L.J., Gupta, M., Sharman, R.: Information security investment decisions: evaluating the balanced scorecard method. Int. J. Bus. Inf. Syst. 5(1), 34–57 (2010)

38.

Tsiakis, T.K., Pekos, T.: Analysing and determining return on investment for information security. In: Proceedings of the International Conference on Applied Economics (ICOAE), Chania, Crete, pp. 879–883 (2008)

39.

Vroom, C., von Solms, R.: Towards information security behavioural compliance. Comput. Secur. 23(3), 191–198 (2004)CrossRef

40.

Wang, J., Chaudhury, A., Rao, H.R.: A value-at-risk approach to information security investment. Inf. Syst. Res. 19(1), 106–120 (2008)CrossRef

41.

Wang, S.L., Chen, J.D., Stirpe, P., Hong, T.P.: Risk-neutral evaluation of information security investment on data centers. J. Intell. Inf. Syst. 36(3), 329–345 (2011)CrossRef

42.

Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q 26(2), xiii–xxiii (2002)

43.

Whitman, M.E.: Enemy at the gate: threats to information security. Commun. ACM 46(8), 91–95 (2003)CrossRef

44.

Willemson, J.: On the Gordon and Loeb model for information security investment. In: Proceedings of the 5th Workshop on the Economics of Information Security (WEIS), Cambridge (2006)

45.

Willemson, J.: Extending the Gordon and Loeb model for information security investment. In: Proceedings of the 5th International Conference on the Availability, Reliability, and Security (ARES’10), Krakow, pp. 258–261 (2010)

Titel: To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool
verfasst von: Lukas Demetz
Daniel Bachlechner
Verlag: Springer Berlin Heidelberg
Buch: The Economics of Information Security and Privacy
Print ISBN: 978-3-642-39497-3

Electronic ISBN: 978-3-642-39498-0

Copyright-Jahr: 2013
DOI: https://doi.org/10.1007/978-3-642-39498-0_2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner