An economic modelling approach to information security risk management
Introduction
The Internet evolution is one of the greatest innovations of the twentieth century and has changed lives of individuals and business organizations. Sharing of information, e-commerce and unified communication are some typical main benefits of using the Internet. Trends like globalization, higher productivity and reducing the costs make business organizations increasingly dependent on their information systems and the Internet services. Potential attacks on the information systems and eventual crash may cause heavy losses on data, services and business operation. Security risks are present in the organization's information system due to technical failures, system vulnerabilities, human failures, fraud or external events. This is the main reason why organizations are investing in information security systems, which are designed to protect the confidentiality, integrity and availability of information assets. Due to the rising awareness regarding the potential risks of attacks and breaches, the investments in information security are increasing and are taking different approaches depending on the area of applications. Although security technologies have made great progress in the last 10 years, the security level of computers and networks has never been considerably improved (Schneier, 2004; Whitman, 2003).
Almost a decade ago, a number of researchers began to realize that information security is not a problem that only technology can solve and tried to include also an economic point of view. This approach enables business managers’ better understanding of security investments, because the importance of security failure is presented through economical losses instead of technical analysis. This is the reason why security-aware organizations are shifting the focus on the prevention of possible failures from what is technically possible to what is economically optimal (Anderson, 2001; Anderson & Schneier, 2005; Schneier, 2004).
When looking on information security system from economics point of view, economics can actually provide answers to many questions where just technical explanation has no satisfying answer: how does an organization become secure in its IT-based operation? Which security level is adequate? How much money should be invested in security? Business organizations try to solve these questions in terms of risk management.
Information security risk management is the overall process which integrates the identification and analysis of risks to which the organization is exposed, the assessment of potential impacts on the business, and deciding what action can be taken to eliminate or reduce risk to acceptable level (NIST, 2002). It requires a comprehensive identification and evaluation of the organization's information assets, consequences of security incidents, likelihoods of successful attack to the ICT systems, and business costs and benefits of security investments (Hoo, 2000). Standards and guidelines are available for information security management, such as the ISO 27000 series and NIST publications (ISO, 2005; NIST, 2008). Security risk management applied by an organization usually consists of:
- 1.
identification of the business assets;
- 2.
threats identification and damage assessment that may be caused by successful attack;
- 3.
security vulnerabilities of the systems that the attack may exploit;
- 4.
security risk assessment;
- 5.
measures to minimize the risk with implementation of appropriate controls;
- 6.
monitoring the effectiveness of implemented controls.
This paper proposes a standard approach towards assessment of the required ICT security investment and data protection. In the approach proposed, the assets, the threats and the vulnerabilities of the ICT systems are identified first through a security risk analysis; then a method for quantification of the necessary investment in security provision is described. The paper ends with discussion of the applicability of the approach for enterprise security risk, an external insurance based on the quantified risk analyses.
Section snippets
Gathering the data for security risk analysis
The goal of security risk analysis is to identify and measure the risks in order to inform the decision-making process. Risk analysis needs the data about information assets in the organization, threats to which assets are exposed, system vulnerabilities that threats may exploit and implemented security controls.
Approaches for security risk assessment
Once security risks have been identified, they must be assessed as to their potential loss and to the probability of occurrence. Risk assessment is the determination of the potential impact of an individual risk by assessing the likelihood that it will occur and the impact if it should occur. It helps organizations taking decision regarding the necessary investment in security controls and systems in areas that maximizes the business benefit.
There are many different methodologies for assessing
Risk minimization strategies
Once risks have been identified and assessed, the organization must choose the right strategy to minimize the risk (NIST, 2002). The strategies include the following:
- •
Avoiding the threats and the attacks by eliminating the source of risk or the asset's exposure to the risk. This is usually applied in cases when the severity of the impact of the risk outweighs the benefit that is gained from having or using particular asset; e.g. full open connectivity to Internet.
- •
Reducing the asset's exposure to
Conclusions
Information security risk management is a fundamental concern to all organizations. This paper presents the analysis of the problem associated with determining investment in information security. The outcome of the analysis resulted in a recommendation that could evolve in a standardized approach. The approach starts with the methodical system used in the risk management process, which enables identification of the assets. This provides good understanding of why and what should be protected in
Rok Bojanc is currently CIO of ZZI, a software solution firm active in e-business exchange area. He has been involved with IT and information security for over 10 years. Prior to ZZI, Mr. Bojanc spent over 9 years as instructor; he has written several training courses for subjects including IT, networks, security, and Microsoft server systems. He is a frequent lecturer and speaks about IT and security on many seminars and conferences. As both a technical lead and project manager, he has worked
References (47)
- et al.
Vulnerability and information security investment: An empirical analysis of e-local government in Japan
Journal of Accounting and Public Policy
(2005) The market for lemons: Quality uncertainty and the market mechanism
Quarterly Journal of Economics
(1970)- Anderson, R. (2001). Why information security is hard: An economic perspective. In ACSAC ‘01: Proceedings of the...
- et al.
Economics of information security
IEEE Security and Privacy
(2005) - et al.
Economics of software vulnerability disclosure
IEEE Security and Privacy
(2005) - et al.
Network software security and user incentives
(2005) - Böhme, R., & Kataria, G. (2006). Models and measures for correlation in cyber-insurance. In The fifth workshop on the...
- et al.
Computer Security Handbook
(2002) The state of economics of information security
A Journal of Law and Policy for the Information Society
(2006)- et al.
Pricing security
The economic cost of publicly announced information security breaches: Empirical evidence from the stock market
Journal of Computer Security
A model for evaluating IT security investments
Communications of the ACM
The security risk assessment handbook. A complete guide for performing security risk assessments
Making choices to show ROI
Secure Business Quarterly
The economics of information security investment
ACM
Cited by (148)
An approach based on hexagram model for quantifying security risks with Performance Key Indicators (PKI)
2024, Computers and Electrical EngineeringExpanding the Gordon-Loeb model to cyber-insurance
2022, Computers and SecurityCitation Excerpt :Our work contributes primarily to the literature on the economic aspects of cyber-insurance, and therefore give papers in this discipline greatest critical focus. An early contribution in this area is by Bojanc and Jerman-Blazic (2008) who outline a variety of different economic techniques that could be used for information security risk management; they discuss cyber-insurance as a potential solution to the problem but cite the work of Majuca et al. (2006) as cause for concern that some cyber policies may not pay out. Pal et al. (2010) investigate the problem of self-defense investments in the Internet under full and partial insurance coverage models, finding that cooperation among users results in more efficient self-defence investments and that partial insurance motivates non-cooperative internet users to invest efficiently in self-defense mechanisms.
Survey of cyber risk analysis techniques for use in the nuclear industry
2021, Progress in Nuclear EnergyNexus among blockchain technology adoption and firm performance: perspective from mediating and moderating effects
2024, International Journal of Organizational Analysis
Rok Bojanc is currently CIO of ZZI, a software solution firm active in e-business exchange area. He has been involved with IT and information security for over 10 years. Prior to ZZI, Mr. Bojanc spent over 9 years as instructor; he has written several training courses for subjects including IT, networks, security, and Microsoft server systems. He is a frequent lecturer and speaks about IT and security on many seminars and conferences. As both a technical lead and project manager, he has worked in designing, developing, implementing and managing information systems/networks for more than 7 years. He has written many handbooks and technical articles related to IT. In addition, he teaches undergraduate courses in the areas of information science. He holds a Master's degree in Physics from University of Ljubljana and is pursuing his Ph.D. on Information Management. He is a Microsoft Certified System Engineer (MCSE).
Borka Jerman-Blažič holds an MS in Electrical Engineering from the University of Ljubljana and a Ph.D. in natural and computing sciences from the University of Zagreb.
Prof. Dr. Borka Jerman-Blažič is a full professor at the University of Ljubljana, Department of Economics and is heading the Laboratory for Open Systems and Networks at Jožef Stefan Institute.
She is teaching undergraduate courses in electronic communications and information security and postgraduate courses in Telecommunication Services and Technologies, Legal aspects and standards in ICT and E-commerce. Prof. Dr. Borka Jerman-Blažič is a member of the IEEE Computer Society, a member of the ACM, member of the New York Academy of Science since 1991, member of IFIP. She is appointed member to UNECE/CEFAT UN (Economic Commission for Europe) group for Internet enterprise development, appointed member of eTEN management committee of EU and a member of EU FP7 Programming Committee on Security, Chair (2004–2007) of the Internet Society of Europe (www.isoc-ecc.org), Distinguished Member of Slovene Society for Informatics, member of the editorial board of the international journal of Technology Enhanced e-Learning. She is holding Plaque of appreciation of the Thai branch of IFIP and ACM for her services in Internet development and awards for best papers (IARIA IEEE conference).
Prof. Dr. Borka Jerman-Blažič has been involved in more than 150 international conferences and workshops as a speaker, invited speaker and chair or a member of the programming committees. She has published more than 90 papers in refereed scientific journals, 154 communications on scientific meetings, 15 Chapters in scientific books, 6 books and other 142 scientific contributions. She has as well experience in editorship from books published by Kluwer P.C and IOS Press (2001–2004).