Quantifying the financial impact of it security breaches on business processes

With the rise of the number of security breaches affecting organizations nowadays, it has become crucial for companies to accurately measure the costs of such incidents and mitigate them in order quantify their risk exposure and direct IT security investments. However, with the absence of standardized cost calculation methods, the task of quantifying the internal costs of security breaches as well as the costs of managing them is one of the difficulties of security risk analysis. Due to the fact that companies consider the time spent by employees during the reparation process of an affected IT resource as idle, overestimations of the costs of security breaches and lost productivity, represented by the system downtime from employees' perception, occur. For these reasons, this study suggests a new approach for measuring the negative economic impact associated with such security attack events. This study proposes a method which assumes that alternative tasks that do not rely on the affected IT resource are performed; hence, the employees' time is not considered as completely idle and consequently the total costs decrease. Early results have shown that our suggested method renders smaller total costs than companies' method when calculating the costs of information security breaches due to the decrease in the idle time; whereas cost components due to delayed work products are typically not captured at all. Our results have also shown how recovery procedures, in terms of dissolving of work task queues, are performed in case of information security breaches.

[1]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[2]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[3]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[4]  Thomas Neubauer,et al.  A roadmap to risk-aware business process management , 2009, 2009 IEEE Asia-Pacific Services Computing Conference (APSCC).

[5]  Moe Thandar Wynn,et al.  Business Process Simulation for Operational Decision Support , 2007, Business Process Management Workshops.

[6]  Rajkumar Roy,et al.  Operational risk analysis in business processes , 2007 .

[7]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[8]  Gerald Quirchmayr,et al.  Extension of a Methodology for Risk-Aware Business Process Modeling and Simulation Enabling Process-Oriented Incident Handling Support , 2008, 22nd International Conference on Advanced Information Networking and Applications (aina 2008).

[9]  R. Power CSI/FBI computer crime and security survey , 2001 .

[10]  van der Wmp Wil Aalst,et al.  Business process simulation : how to get it right? , 2008 .

[11]  Stefanie Betz,et al.  Risk-Aware Business Process Modeling and Simulation Using XML Nets , 2011, 2011 IEEE 13th Conference on Commerce and Enterprise Computing.

[12]  Stefan Fenz,et al.  Integration of an Ontological Information Security Concept in Risk Aware  Business Process Management , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[13]  Alan M. Christie Simulation: An Enabling Technology in Software Engineering , 1999 .

[14]  S. Tjoa,et al.  Risk-Aware Business Process Management—Establishing the Link Between Business and Security , 2010 .

[15]  Geoffrey Hook,et al.  Business Process Modeling and simulation , 2011, Proceedings of the 2011 Winter Simulation Conference (WSC).

[16]  Anat Hovav,et al.  The Impact of Virus Attack Announcements on the Market Value of Firms , 2004, Inf. Secur. J. A Glob. Perspect..

[17]  Theodosios Kosmas Tsiakis,et al.  Analysing and determining Return on Investment for Information Security , 2008 .

[18]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[19]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[20]  Gerald Quirchmayr,et al.  Deriving Resource Requirements Applying Risk-Aware Business Process Modeling and Simulation , 2008, ECIS.

[21]  Gerald Quirchmayr,et al.  Enhancing Business Impact Analysis and Risk Assessment Applying a Risk-Aware Business Process Modeling and Simulation Methodology , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[22]  Ashish Garg,et al.  The Financial Impact of IT Security Breaches: What Do Investors Think? , 2003, Inf. Secur. J. A Glob. Perspect..

[23]  Hongwei Ding,et al.  Towards a flexible business process modeling and simulation environment , 2008, 2008 Winter Simulation Conference.

[24]  Gerald Quirchmayr,et al.  Rope: A Methodology for Enabling the Risk-Aware Modelling and Simulation of Business Processes , 2007, ECIS.

[25]  Myung S. Ko,et al.  THE IM P ACT OF INFORM A TION SECURITY BREACHES ON FINANCIAL PERFORMANCE OF THE BREACHED FIRMS: AN EMPIRICAL INVESTIG A TION , 2006 .

[26]  Wil M. P. van der Aalst,et al.  Process mining: a research agenda , 2004, Comput. Ind..

[28]  George M. Giaglis,et al.  SIMULATION MODELLING OF BUSINESS PROCESSES , 1998 .