Affiliation:
1. Department of Information and Computing Sciences, Utrecht University, Utrecht, The Netherlands
Abstract
Organizations know that investing in security measures is an important requirement for doing business. But how much should they invest and how should those investments be directed? Many organizations have turned to a risk management approach to identify the largest threats and the control measures that could help mitigate those threats. This research presents the Cost of IT Security (CITS) Framework to support analysis of the costs and benefits of those control measures. This analysis can be performed by using either quantification methods or by using a qualitative approach. Based on a study of five distinct security areas–Identity Management, Network Access Control, Intrusion Detection Systems, Business Continuity Management and Data Loss Prevention–nine cost factors are identified for IT security, and for only five of those nine a quantitative approach is feasible for the cost factor. This study finds that even though quantification methods are useful, organizations that wish to use those should do this together with more qualitative approaches in the decision-making process for security measures.
Reference39 articles.
1. Evolutionary design of intrusion detection programs.;A.Abraham;International Journal of Network Security,2007
2. Anderson, R. (2001). Why information security is hard - An economic perspective. In Proceedings of the 17th Annual Computer Security Applications Conference (p. 358).
3. Blakley, B., McDermott, E., & Geer, D. (2002, September 23-26). Information security is information risk management. In Proceedings of the ACM New Security Paradigms Workshop, Virginia Beach, VA.
4. Towards a standard approach for quantifying an ICT security investment
5. Camp, L. J. (2006). The state of economics of information security. A Journal of Law and Policy for the Information Society, 2(2), 189-205.