CITS: The Cost of IT Security Framework

Organizations know that investing in security measures is an important requirement for doing business. But how much should they invest and how should those investments be directed? Many organizations have turned to a risk management approach to identify the largest threats and the control measures that could help mitigate those threats. This research presents the Cost of IT Security (CITS) Framework to support analysis of the costs and benefits of those control measures. This analysis can be performed by using either quantification methods or by using a qualitative approach. Based on a study of five distinct security areas–Identity Management, Network Access Control, Intrusion Detection Systems, Business Continuity Management and Data Loss Prevention–nine cost factors are identified for IT security, and for only five of those nine a quantitative approach is feasible for the cost factor. This study finds that even though quantification methods are useful, organizations that wish to use those should do this together with more qualitative approaches in the decision-making process for security measures.

[1]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[2]  Michael J. Cerullo,et al.  Business Continuity Planning: A Comprehensive Approach , 2004, Inf. Syst. Manag..

[3]  Borka Jerman-Blazic,et al.  Towards a standard approach for quantifying an ICT security investment , 2008, Comput. Stand. Interfaces.

[4]  Yasushi Shinjo,et al.  Capability-based egress network access control by using DNS server , 2007, J. Netw. Comput. Appl..

[5]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[6]  Carlos Martín-Vide,et al.  Evolutionary Design of Intrusion Detection Programs , 2007, Int. J. Netw. Secur..

[7]  John Hale,et al.  Secur(e/ity) Management: A Continuing Uphill Climb , 2007, Journal of Network and Systems Management.

[8]  Kathrin M. Möslein,et al.  Identities Management for E-Commerce and Collaboration Applications , 2005, Int. J. Electron. Commer..

[9]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[10]  Rebecca T. Mercuri Computer security: quality rather than quantity , 2002, CACM.

[11]  Roberta M. Roth,et al.  A workshop approach to acquiring knowledge from single and multiple experts , 1990, SIGBDP '90.

[12]  Graeme G. Shanks,et al.  Identity crisis: user perspectives on multiplicity and control in federated identity management , 2011, Behav. Inf. Technol..

[13]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[14]  Dmitri Nizovtsev,et al.  Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies , 2006, WEIS.

[15]  Gary Stoneburner,et al.  Underlying technical models for information technology security :: recommendations of the National Institute of Standards and Technology , 2001 .

[16]  A. Jones,et al.  A framework for the management of information security risks , 2007 .

[17]  Adrian Vermeule,et al.  Absolute Majority Rules , 2007, British Journal of Political Science.

[18]  Christopher K. Hsee,et al.  The Majority Rule in Individual Decision Making , 2006 .

[19]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[20]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[21]  W. Lam Ensuring business continuity , 2002 .

[22]  Ajith Abraham,et al.  Modeling intrusion detection system using hybrid intelligent systems , 2007, J. Netw. Comput. Appl..

[23]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[24]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[25]  Gunnar Peterson,et al.  Introduction to identity management risk metrics , 2006, IEEE Security & Privacy.

[26]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[27]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[28]  L. Camp Economics of Information Security , 2006 .

[29]  Lawrence A. Gordon,et al.  Budgeting process for information security expenditures , 2006, CACM.

[30]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[31]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..