Optimal Information Security Expenditures Considering Budget Constraints

In this paper, we present a new quantitative optimization model to support decision makers in determining how much to invest in information security and how to allocate funds. The approach considers uncertain properties of security risks and provides concrete investment recommendations. Evaluating the problem in a holistic way improves insight into the problem structure and leads to better decision making. By using methods of mathematical optimization, available budget can be utilized most effectively. An exemplary case study demonstrates how the approach is applied to increase security of a cloud-based information system. To test our model, we use very detailed as well as vague input data. In both cases, good results are produced which can be the basis for further decision making. The approach is designed to be used within the framework of an existing risk management process.

[1]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[2]  Rainer Böhme,et al.  Economic Security Metrics , 2005, Dependability Metrics.

[3]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[4]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[5]  Gilbert Fridgen,et al.  Benefits Quantification in IT Projects , 2013, Wirtschaftsinformatik.

[6]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[7]  Jian Hua,et al.  Optimal IS Security Investment: Cyber Terrorism vs. Common Hacking , 2011, ICIS.

[8]  Terje Aven,et al.  Quantitative Risk Assessment: The Scientific Platform , 2011 .

[9]  Theodosios Tsiakis Information Security Expenditures: a Techno-Economic Analysis , 2010 .

[10]  P. Embrechts,et al.  Quantitative Risk Management: Concepts, Techniques, and Tools , 2005 .

[11]  Tim Mather,et al.  Cloud Security and Privacy - An Enterprise Perspective on Risks and Compliance , 2009, Theory in practice.

[12]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[13]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[14]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[15]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[16]  Xin Luo,et al.  Social Engineering: The Neglected Human Factor for Information Security Management , 2011, Inf. Resour. Manag. J..

[17]  Ali Mili,et al.  A cybersecurity model in cloud computing environments , 2013, J. King Saud Univ. Comput. Inf. Sci..

[18]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[19]  Brigitte Werners,et al.  A Quantitative Threat Modeling Approach to Maximize the Return on Security Investment in Cloud Computing , 2013 .

[20]  Borka Jerman-Blazic,et al.  An economic modelling approach to information security risk management , 2008, Int. J. Inf. Manag..

[21]  Thorsten Holz,et al.  Towards reducing the attack surface of software backdoors , 2013, CCS.

[22]  Mohammad Modarres,et al.  A practical R&D selection model using fuzzy pay-off method , 2012 .

[23]  Brigitte Werners,et al.  Optimizing Information Security Investments with Limited Budget , 2014, OR.

[24]  Craig A. Shue,et al.  Proceedings of the ACM Conference on Computer and Communications Security , 2010 .

[25]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[26]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[27]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[28]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[29]  Jörg Schwenk,et al.  Scriptless attacks: stealing the pie without touching the sill , 2012, CCS.

[30]  Ali Mili,et al.  Quantifying security threats and their potential impacts: a case study , 2010, Innovations in Systems and Software Engineering.

[31]  Christine M. Anderson-Cook,et al.  Book review: quantitative risk management: concepts, techniques and tools, revised edition, by A.F. McNeil, R. Frey and P. Embrechts. Princeton University Press, 2015, ISBN 978-0-691-16627-8, xix + 700 pp. , 2017, Extremes.

[32]  Borka Jerman-Blazic,et al.  Managing the investment in information security technology by use of a quantitative modeling , 2012, Inf. Process. Manag..

[33]  Ketil Stølen,et al.  A graphical approach to risk identification, motivated by empirical investigations , 2006, MoDELS'06.

[34]  Daniel J. Ryan,et al.  Quantifying information security risks using expert judgment elicitation , 2012, Comput. Oper. Res..

[35]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .