Conceptual Design of a Method to Support IS Security Investment Decisions

Information Systems are part and parcel of critical infrastructures. In order to safeguard compliance of information systems private enterprises and governmental organizations can implement a large variety of distinct measures, ranging from technical measures (e.g. the employment of a firewall) to organizational measures (e.g. the implementation of a security awareness management). The realization of such measures requires investments with an uncertain prospective return that can hardly be determined. An appropriate method for the profitability assessment of alternative IS security measures has not been developed so far. With this article we propose a conceptual design for a method that enables the determination of the success of alternative security investments on the basis of a processoriented perspective. Within a design science approach we combine established artifacts of the field of IS security management with those of the field of process management and controlling. On that base we develop a concept that allows decision-makers to prioritize the investments for dedicated IS security measures.

[1]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[2]  Maitland Hyslop Critical Information Infrastructures: Resilience and Protection , 2007 .

[3]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[4]  Kevin Sullivan Proceedings of the seventh international workshop on Economics-driven software engineering research , 2005 .

[5]  Erik Brynjolfsson,et al.  The productivity paradox of information technology , 1993, CACM.

[6]  N. Carr IT doesn't matter , 2003, IEEE Engineering Management Review.

[7]  Norbert Pohlmann Wie wirtschaftlich sind IT-Sicherheitsmaßnahmen? , 2006, HMD Prax. Wirtsch..

[8]  Eric Brabänder,et al.  Analyse und Gestaltung prozessorientierter Risikomanagementsysteme mit Ereignisgesteuerten Prozessketten , 2002, EPK.

[9]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[10]  Stilianos Vidalis,et al.  Understanding and Developing a Threat Assessment Model , 2002 .

[11]  Michael Rosemann,et al.  Integrating risks in business process models with value focused process engineering , 2006, ECIS.

[12]  Andreas Jaeschke,et al.  Informatik für den Umweltschutz, 5. Symposium, Wien, Österreich, 19.-21. September 1990, Proceedings , 1990, Informatik für den Umweltschutz.

[13]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[14]  Ephraim R. McLean,et al.  Key Issues for IT Executives , 2004, MIS Q. Executive.

[15]  Hinrich Schröder,et al.  Konzept zur Nutzenbewertung von IT-Investitionen , 2006 .

[16]  James R. Conrad,et al.  Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations , 2005, WEIS.

[17]  Björn Niehaves,et al.  Epistemological perspectives on IS research: a framework for analysing and systematizing epistemological assumptions , 2007, Inf. Syst. J..

[18]  Yacov Y. Haimes,et al.  Are we forgetting the risks of information technology? , 2000, Computer.

[19]  Douglas J. Landoll,et al.  The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments , 2005 .

[20]  August-Wilhelm Scheer,et al.  ARIS - Business Process Modeling , 1998 .

[21]  Sabrina Sitzberger,et al.  Lernen vom Business Engineering - Ansätze für ein systematisches, modellgestütztes Vorgehensmodell zum Sicherheitsmanagement , 2006 .

[22]  Sudhanshu Kairab,et al.  A practical guide to security assessments , 2004 .

[23]  Il-Yeol Song,et al.  Entity Relationship Model , 2009, Encyclopedia of Database Systems.

[24]  Luiz André Barroso,et al.  Web Search for a Planet: The Google Cluster Architecture , 2003, IEEE Micro.

[25]  Paolo Giorgini,et al.  Modelling Risk and Identifying Countermeasure in Organizations , 2006, CRITIS.

[26]  M. Rosemann,et al.  Integrating Risks in Business Process Models , 2005 .

[27]  R. Kaplan,et al.  The balanced scorecard--measures that drive performance. , 2015, Harvard business review.

[28]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[29]  Gerald Quirchmayr,et al.  Rope: A Methodology for Enabling the Risk-Aware Modelling and Simulation of Business Processes , 2007, ECIS.

[30]  John McCumber Assessing and Managing Security Risk in IT Systems: A Structured Methodology , 2004 .

[31]  Andy Ju An Wang Information security models and metrics , 2005, ACM-SE 43.

[32]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[33]  Hans-Peter Königs IT-Risiko-Management mit System , 2005 .

[34]  Silke Küker,et al.  Geschäftsprozeßmodellierung als Basis einer informationswirtschaftlichen Unterstützung für ein AQU-Management , 1999 .

[35]  Hannes Federrath,et al.  Ansätze zur Evaluierung von Sicherheitsinvestitionen , 2005, Sicherheit.

[36]  G. Rodewald. Aligning information security investments with a firm's risk tolerance , 2005, InfoSecCD '05.

[37]  Klaus Pichhardt Qualitätsmanagement Lebensmittel : vom Rohstoff bis zum Fertigprodukt , 1997 .

[38]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[39]  E. Brynjolfsson,et al.  Paradox Lost? Firm-Level Evidence on the Returns to Information Systems Spending , 1996 .

[40]  Thomas Hess,et al.  Forschungsmethoden der Wirtschaftsinformatik , 2007, Wirtschaftsinf..

[41]  Atish P. Sinha,et al.  A comparison of data warehousing methodologies , 2005, CACM.

[42]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[43]  Rainer Bromme,et al.  Wissenskommunikation über Fächergrenzen. Ein Trainingsprogramm , 2003 .

[44]  Lawrence A. Gordon,et al.  Budgeting process for information security expenditures , 2006, CACM.

[45]  Y. Benkler Peer Production of Survivable Critical Infrastructures , 2005 .

[46]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[47]  Peng Liu Information Security - A Strategic Approach, Vincent Leveque. IEEE Computer Society & Wiley Interscience. 263 pp., ISBN: 0471736120 , 2007, Inf. Process. Manag..

[48]  Thomas Neubauer,et al.  Defining Secure Business Processes with Respect to Multiple Objectives , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[49]  Ulrich Faisst,et al.  Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen , 2007 .

[50]  Stefan Biffl,et al.  Business process-based valuation of IT-security , 2005, ACM SIGSOFT Softw. Eng. Notes.

[51]  Paul P. Tallon A Process-Oriented Perspective on the Alignment of Information Technology and Business Strategy , 2007, J. Manag. Inf. Syst..

[52]  Mario Guimaraes Proceedings of the 43rd annual Southeast regional conference - Volume 1 , 2005 .

[53]  Arno Müller,et al.  IT-Controlling: So messen Sie den Beitrag der Informationstechnologie zum Unternehmenserfolg , 2004 .

[54]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[55]  Peter Fettke,et al.  State-of-the-Art des State-of-the-Art , 2006, Wirtschaftsinf..

[56]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[57]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[58]  Heinz Lothar Grob,et al.  Investitionsrechnung mit vollständigen Finanzplänen , 1989 .