An economic modelling approach to information security risk management

https://doi.org/10.1016/j.ijinfomgt.2008.02.002Get rights and content

Abstract

This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided.

Introduction

The Internet evolution is one of the greatest innovations of the twentieth century and has changed lives of individuals and business organizations. Sharing of information, e-commerce and unified communication are some typical main benefits of using the Internet. Trends like globalization, higher productivity and reducing the costs make business organizations increasingly dependent on their information systems and the Internet services. Potential attacks on the information systems and eventual crash may cause heavy losses on data, services and business operation. Security risks are present in the organization's information system due to technical failures, system vulnerabilities, human failures, fraud or external events. This is the main reason why organizations are investing in information security systems, which are designed to protect the confidentiality, integrity and availability of information assets. Due to the rising awareness regarding the potential risks of attacks and breaches, the investments in information security are increasing and are taking different approaches depending on the area of applications. Although security technologies have made great progress in the last 10 years, the security level of computers and networks has never been considerably improved (Schneier, 2004; Whitman, 2003).

Almost a decade ago, a number of researchers began to realize that information security is not a problem that only technology can solve and tried to include also an economic point of view. This approach enables business managers’ better understanding of security investments, because the importance of security failure is presented through economical losses instead of technical analysis. This is the reason why security-aware organizations are shifting the focus on the prevention of possible failures from what is technically possible to what is economically optimal (Anderson, 2001; Anderson & Schneier, 2005; Schneier, 2004).

When looking on information security system from economics point of view, economics can actually provide answers to many questions where just technical explanation has no satisfying answer: how does an organization become secure in its IT-based operation? Which security level is adequate? How much money should be invested in security? Business organizations try to solve these questions in terms of risk management.

Information security risk management is the overall process which integrates the identification and analysis of risks to which the organization is exposed, the assessment of potential impacts on the business, and deciding what action can be taken to eliminate or reduce risk to acceptable level (NIST, 2002). It requires a comprehensive identification and evaluation of the organization's information assets, consequences of security incidents, likelihoods of successful attack to the ICT systems, and business costs and benefits of security investments (Hoo, 2000). Standards and guidelines are available for information security management, such as the ISO 27000 series and NIST publications (ISO, 2005; NIST, 2008). Security risk management applied by an organization usually consists of:

  • 1.

    identification of the business assets;

  • 2.

    threats identification and damage assessment that may be caused by successful attack;

  • 3.

    security vulnerabilities of the systems that the attack may exploit;

  • 4.

    security risk assessment;

  • 5.

    measures to minimize the risk with implementation of appropriate controls;

  • 6.

    monitoring the effectiveness of implemented controls.

This paper proposes a standard approach towards assessment of the required ICT security investment and data protection. In the approach proposed, the assets, the threats and the vulnerabilities of the ICT systems are identified first through a security risk analysis; then a method for quantification of the necessary investment in security provision is described. The paper ends with discussion of the applicability of the approach for enterprise security risk, an external insurance based on the quantified risk analyses.

Section snippets

Gathering the data for security risk analysis

The goal of security risk analysis is to identify and measure the risks in order to inform the decision-making process. Risk analysis needs the data about information assets in the organization, threats to which assets are exposed, system vulnerabilities that threats may exploit and implemented security controls.

Approaches for security risk assessment

Once security risks have been identified, they must be assessed as to their potential loss and to the probability of occurrence. Risk assessment is the determination of the potential impact of an individual risk by assessing the likelihood that it will occur and the impact if it should occur. It helps organizations taking decision regarding the necessary investment in security controls and systems in areas that maximizes the business benefit.

There are many different methodologies for assessing

Risk minimization strategies

Once risks have been identified and assessed, the organization must choose the right strategy to minimize the risk (NIST, 2002). The strategies include the following:

  • Avoiding the threats and the attacks by eliminating the source of risk or the asset's exposure to the risk. This is usually applied in cases when the severity of the impact of the risk outweighs the benefit that is gained from having or using particular asset; e.g. full open connectivity to Internet.

  • Reducing the asset's exposure to

Conclusions

Information security risk management is a fundamental concern to all organizations. This paper presents the analysis of the problem associated with determining investment in information security. The outcome of the analysis resulted in a recommendation that could evolve in a standardized approach. The approach starts with the methodical system used in the risk management process, which enables identification of the assets. This provides good understanding of why and what should be protected in

Rok Bojanc is currently CIO of ZZI, a software solution firm active in e-business exchange area. He has been involved with IT and information security for over 10 years. Prior to ZZI, Mr. Bojanc spent over 9 years as instructor; he has written several training courses for subjects including IT, networks, security, and Microsoft server systems. He is a frequent lecturer and speaks about IT and security on many seminars and conferences. As both a technical lead and project manager, he has worked

References (47)

  • H. Tanaka et al.

    Vulnerability and information security investment: An empirical analysis of e-local government in Japan

    Journal of Accounting and Public Policy

    (2005)
  • G.A. Akerlof

    The market for lemons: Quality uncertainty and the market mechanism

    Quarterly Journal of Economics

    (1970)
  • Anderson, R. (2001). Why information security is hard: An economic perspective. In ACSAC ‘01: Proceedings of the...
  • R. Anderson et al.

    Economics of information security

    IEEE Security and Privacy

    (2005)
  • A. Arora et al.

    Economics of software vulnerability disclosure

    IEEE Security and Privacy

    (2005)
  • T. August et al.

    Network software security and user incentives

    (2005)
  • Böhme, R., & Kataria, G. (2006). Models and measures for correlation in cyber-insurance. In The fifth workshop on the...
  • S. Bosworth et al.

    Computer Security Handbook

    (2002)
  • L.J. Camp

    The state of economics of information security

    A Journal of Law and Policy for the Information Society

    (2006)
  • L.J. Camp et al.

    Pricing security

  • K. Campbell

    The economic cost of publicly announced information security breaches: Empirical evidence from the stock market

    Journal of Computer Security

    (2003)
  • Cavusoglu, H., Cavusoglu H., & Zhamg, J. (2006). Economics of security patch management. In The fifth workshop on the...
  • H. Cavusoglu et al.

    A model for evaluating IT security investments

    Communications of the ACM

    (2004)
  • CERT (2007). Computer Emergency Response Team Coordination Center (CERT/CC) vulnerability remediation statistics....
  • Counterpane (2000). Counterpane Internet Security, Lloyd's of London: Counterpane Internet Security announces...
  • CSI (2007). CSI Survey 2007. The twelfth annual computer crime and security survey. Retrieved October 10, 2007, from...
  • Dacey, F. R. (2003). Effective patch management is critical to mitigating software vulnerabilities....
  • J.L. Douglas

    The security risk assessment handbook. A complete guide for performing security risk assessments

    (2006)
  • DTI (2006). Information security breaches survey 2006. Retrieved March 18, 2007, from...
  • Dynes, S., Andrijcic, E., & Johnson, M. E. (2006). Costs to the U.S. economy of information infrastructure failures:...
  • FIPS (2004). Federal Information Processing Standards (FIPS) publication 199. Security Categorization of Federal...
  • D. Geer

    Making choices to show ROI

    Secure Business Quarterly

    (2002)
  • A.L. Gordon et al.

    The economics of information security investment

    ACM

    (2002)
  • Cited by (148)

    • Expanding the Gordon-Loeb model to cyber-insurance

      2022, Computers and Security
      Citation Excerpt :

      Our work contributes primarily to the literature on the economic aspects of cyber-insurance, and therefore give papers in this discipline greatest critical focus. An early contribution in this area is by Bojanc and Jerman-Blazic (2008) who outline a variety of different economic techniques that could be used for information security risk management; they discuss cyber-insurance as a potential solution to the problem but cite the work of Majuca et al. (2006) as cause for concern that some cyber policies may not pay out. Pal et al. (2010) investigate the problem of self-defense investments in the Internet under full and partial insurance coverage models, finding that cooperation among users results in more efficient self-defence investments and that partial insurance motivates non-cooperative internet users to invest efficiently in self-defense mechanisms.

    View all citing articles on Scopus

    Rok Bojanc is currently CIO of ZZI, a software solution firm active in e-business exchange area. He has been involved with IT and information security for over 10 years. Prior to ZZI, Mr. Bojanc spent over 9 years as instructor; he has written several training courses for subjects including IT, networks, security, and Microsoft server systems. He is a frequent lecturer and speaks about IT and security on many seminars and conferences. As both a technical lead and project manager, he has worked in designing, developing, implementing and managing information systems/networks for more than 7 years. He has written many handbooks and technical articles related to IT. In addition, he teaches undergraduate courses in the areas of information science. He holds a Master's degree in Physics from University of Ljubljana and is pursuing his Ph.D. on Information Management. He is a Microsoft Certified System Engineer (MCSE).

    Borka Jerman-Blažič holds an MS in Electrical Engineering from the University of Ljubljana and a Ph.D. in natural and computing sciences from the University of Zagreb.

    Prof. Dr. Borka Jerman-Blažič is a full professor at the University of Ljubljana, Department of Economics and is heading the Laboratory for Open Systems and Networks at Jožef Stefan Institute.

    She is teaching undergraduate courses in electronic communications and information security and postgraduate courses in Telecommunication Services and Technologies, Legal aspects and standards in ICT and E-commerce. Prof. Dr. Borka Jerman-Blažič is a member of the IEEE Computer Society, a member of the ACM, member of the New York Academy of Science since 1991, member of IFIP. She is appointed member to UNECE/CEFAT UN (Economic Commission for Europe) group for Internet enterprise development, appointed member of eTEN management committee of EU and a member of EU FP7 Programming Committee on Security, Chair (2004–2007) of the Internet Society of Europe (www.isoc-ecc.org), Distinguished Member of Slovene Society for Informatics, member of the editorial board of the international journal of Technology Enhanced e-Learning. She is holding Plaque of appreciation of the Thai branch of IFIP and ACM for her services in Internet development and awards for best papers (IARIA IEEE conference).

    Prof. Dr. Borka Jerman-Blažič has been involved in more than 150 international conferences and workshops as a speaker, invited speaker and chair or a member of the programming committees. She has published more than 90 papers in refereed scientific journals, 154 communications on scientific meetings, 15 Chapters in scientific books, 6 books and other 142 scientific contributions. She has as well experience in editorship from books published by Kluwer P.C and IOS Press (2001–2004).

    View full text