A framework for evaluating IT security investments in a banking environment

The amount of effort that can be expended on information security depends on funds available and management decisions. Organisations therefore have to prepare an annual budget for the maintenance and improvement of their information security systems. Two of the key issues that confront IT management, when dealing with IT security investments, are how to spend the IT security budget most effectively, and how to make the case for an increase in funds to maintain and further enhance information security. The aim of this paper is to present a quantitative framework as an alternative way of analysing IT security investments in a banking environment in order to address the two issues mentioned above. A two step framework is proposed. The first step utilizes a cluster analysis (CA) technique and the second step employs a linear programming technique called data envelopment analysis (DEA). The purpose of the clustering step is to ensure that evaluations are carried out in groups of homogenous bank branches while the purpose of the DEA model is to determine which of the branches make efficient use of the IT security resources available to them. Following a brief discussion of the proposed framework and techniques used, an illustrative example, based on a well known South African financial institution, is presented.

[1]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[2]  Jian Pei,et al.  Data Mining: Concepts and Techniques, 3rd edition , 2006 .

[3]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[4]  Israel Spiegler,et al.  Investigating diversity of clustering methods: An empirical comparison , 2007, Data Knowl. Eng..

[5]  Sueli Aparecida Mingoti,et al.  Comparing SOM neural network with Fuzzy c , 2006, Eur. J. Oper. Res..

[6]  A. Charnes,et al.  Data Envelopment Analysis Theory, Methodology and Applications , 1995 .

[7]  Kweku-Muata Osei-Bryson,et al.  Increasing the discriminatory power of DEA in the presence of the sample heterogeneity with cluster analysis and decision trees , 2008, Expert Syst. Appl..

[8]  D. Giokas,et al.  A Study of the Relative Efficiency of Bank Branches: An Application of Data Envelopment Analysis , 1990 .

[9]  Cláudia S. Sarrico,et al.  Pitfalls and protocols in DEA , 2001, Eur. J. Oper. Res..

[10]  Margaret H. Dunham,et al.  Data Mining: Introductory and Advanced Topics , 2002 .

[11]  Ji Hyea Han,et al.  Data Mining : Concepts and Techniques 2 nd Edition Solution Manual , 2005 .

[12]  Daniel J. Ryan,et al.  Expected benefits of information security investments , 2006, Comput. Secur..

[13]  Lawrence M. Seiford,et al.  Recent developments in dea : the mathematical programming approach to frontier analysis , 1990 .

[14]  Tyrone T. Lin,et al.  Application of DEA in analyzing a bank's operating performance , 2009, Expert Syst. Appl..

[15]  Igor Kononenko,et al.  Machine Learning and Data Mining: Introduction to Principles and Algorithms , 2007 .

[16]  Borka Jerman-Blazic,et al.  Towards a standard approach for quantifying an ICT security investment , 2008, Comput. Stand. Interfaces.

[17]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[18]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[19]  Christopher J. O'Donnell,et al.  Regional Comparisons of Banking Performance in South Africa*1 , 2002 .

[20]  Shu-Hsien Liao,et al.  Artificial neural networks classification and clustering of methodologies and applications - literature analysis from 1995 to 2005 , 2007, Expert Syst. Appl..

[21]  Loren Paul Rees,et al.  Necessary measures: metric-driven information security risk assessment and decision making , 2007, CACM.

[22]  A. U.S.,et al.  Measuring the efficiency of decision making units , 2003 .