Managing the investment in information security technology by use of a quantitative modeling

Authors:
Rok Bojanc;Borka Jerman-Blaič;Metka TekavčIč
Affiliations:
ZZI, Ljubljana, Slovenia;Institut Joef Stefan, University of Ljubljana, Slovenia;Faculty of Economics, University of Ljubljana, Slovenia
Venue:
Information Processing and Management: an International Journal
Year:
2012

Citing 11
Cited 0

Business Continuity Planning

International Journal of Network Management
Using information security as a response to competitor analysis systems

Communications of the ACM
The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Why Information Security is Hard-An Economic Perspective

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Managing vulnerabilities of information systems to security incidents

ICEC '03 Proceedings of the 5th international conference on Electronic commerce
Secrets and Lies: Digital Security in a Networked World

Secrets and Lies: Digital Security in a Networked World
Evaluating information security investments using the analytic hierarchy process

Communications of the ACM - Medical image modeling
Budgeting process for information security expenditures

Communications of the ACM - Personal information management
Software Security: Building Security In

Software Security: Building Security In
Towards a standard approach for quantifying an ICT security investment

Computer Standards & Interfaces
An economic modelling approach to information security risk management

International Journal of Information Management: The Journal for Information Professionals

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents a mathematical model for an optimal security-technology investment evaluation and decision-making processes based on a quantitative analysis of the security risks and a digital-assets assessment in an organization. The model makes use of a quantitative analysis of different security measures that counteract individual risks by identifying the information-system processes in an enterprise and the potential threats. The model comprises the target security levels for all the identified core business processes and the probability of a security accident together with the possible loss the organization may suffer. The model allows in-depth analyses and computations providing quantitative assessments of different options for investments, which translate into recommendations that facilitate the selection of the best solution and the associated decision-making. The model was tested using empirical examples and mathematical simulations with data from a real business environment.