Security service level agreements: quantifiable security for the enterprise?

A popular business paradigm for information systems treats the information infrastructure as a corporate utility. In this model, a fixed Total Cost of Ownership (TCO) is associated with a given workstation, the network infrastructure, user applications, and personnel required for operational support. Related to the TCO model is the Seat Management model, which exploits the economies of standardization and scale to reduce information technology expenses. In both of these models, a defined, measurable, service level is applied as a cost metric, For example, seven days per week, twenty-four hour help desk support is more costly than five clays per week, business hours support. These measurable service levels are defined as Service Level Agreements. Few security services have been specified in terms that are amenable to Service Level Agreements. This raises the question -- can security be adequately expressed in a Service Level Agreement context. This paper looks at a derivation of security related service level agreements for a large enterprise. The possible applications of this approach are presented, as is a discussion of the caveats an information technology organization should consider prior to adopting security service level agreements.