An economic modelling approach to information security risk management

Authors:
Rok Bojanc;Borka Jerman-Blaič
Affiliations:
Faculty of Economics, Ljubljana University and Joef Stefan Institute, Jamova 39, Ljubljana, Slovenia;Faculty of Economics, Ljubljana University and Joef Stefan Institute, Jamova 39, Ljubljana, Slovenia
Venue:
International Journal of Information Management: The Journal for Information Professionals
Year:
2008

Citing 7
Cited 9

Enemy at the gate: threats to information security

Communications of the ACM - Program compaction
Why Information Security is Hard-An Economic Perspective

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Journal of Computer Security - IFIP 2000
A model for evaluating IT security investments

Communications of the ACM - Has the Internet become indispensable?
Economics of Software Vulnerability Disclosure

IEEE Security and Privacy
Information Security Risk Analysis

Information Security Risk Analysis
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Improving CVSS-based vulnerability prioritization and response with context information

ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Fuzzy economic decision-models for information security investment

IMCAS'10 Proceedings of the 9th WSEAS international conference on Instrumentation, measurement, circuits and systems
Information security investment decision-making based on fuzzy economics

WSEAS TRANSACTIONS on SYSTEMS
Firms' information security investment decisions: Stock market evidence of investors' behavior

Decision Support Systems
Cyber security in a cloud with insight on the Slovenian situation

ECC'11 Proceedings of the 5th European conference on European computing conference
Managing the investment in information security technology by use of a quantitative modeling

Information Processing and Management: an International Journal
The economic impact of cyber terrorism

The Journal of Strategic Information Systems
Selection of optimal countermeasure portfolio in IT security planning

Decision Support Systems
Cost-benefit analysis of digital rights management products using stochastic models

Proceedings of the 46th Annual Simulation Symposium

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided.