Business success depends increasingly on reliable ITInfrastructure. IT-Security risk management aims at an optimal allocation of security resources regarding an “affordable” IT-Security level. In comparison to large corporations small and medium-sized enterprises (SMEs) typically have few resources and little expertise in IT-Security risk management. Therefore, they need SME-focused framework processes and methods for strategic planning and operational tool support. Long-term goal is to improve the general security level of SME IT– Infrastructure. In this position paper, we argue for a closer tie between economical and technical aspects of IT-Security Risk Management. Based on the RiskIt risk management process we propose empirical investigations to tackle SME-specific data needs for risk analysis and multi-objective optimization for risk-countermeasure resource allocation. 1. Current Interests Markus Klemen is on a Ph.D. track at the Vienna University of Technology, where he focuses on economic issues of IT-Security risk management specifically customized to the requirements of small and medium-sized enterprises which may be addressed by means of multi-objective decision support methods (see also [20]). Other areas of his interest include Honeynet projects, IPv6 security aspects and information security procedures. Stefan Biffl is an associate professor of software engineering at the Vienna University of Technology. His research interests include Empirical Software Engineering, economic models for software engineering processes, project management, quality management, software inspection, reading techniques for software inspection. 2. Past Work During our cooperation with SMEs over the past years, we found a profound need for solid, scientific support for SME-specific IT-Security. We began to address this field, first in a diploma thesis (IT-Security in SMEs). Based on early work of Raiffa and Schlaifer dating back to 1961 [1] with considerable refinement by Howard in 1966 [2] we adapt the RiskIt process for systematic risk management to IT-Security requirements [3][4][5]. For economic evaluation of decision options we have used classic approaches towards the financial quantification of IT-related risks like ALE (Annual Loss Expectancy) [6] enhanced in Kevin SooHoo’s Ph.D. thesis [7]. As IT-Security countermeasure planning is often a multi-objective problem, we came across the concept of Quadtrees developed by Habenicht [8] and Sun and Steuer [9]. For further research we want to build on an application of the theory of multi-objective decision support to IT-Security by Stummer and Strauss [11].
[1]
F. McFarlan,et al.
Corporate Information Systems Management: Issues Facing Senior Executives
,
1995
.
[2]
H. Raiffa,et al.
Applied Statistical Decision Theory.
,
1961
.
[3]
Barry W. Boehm,et al.
Developing Groupware for Requirements Negotiation: Lessons Learned
,
2001,
IEEE Softw..
[4]
Ralph E. Steuer,et al.
InterQuad: An interactive quad tree based procedure for solving the discrete alternative multiple criteria problem
,
1996
.
[5]
B. Boehm.
Software risk management: principles and practices
,
1991,
IEEE Software.
[6]
Minghe Sun,et al.
Quad Tree Data Structures For Use In Large–Scale Discrete Alternative Multiple Criteria Problems
,
2000
.
[7]
J. van Leeuwen,et al.
Information Security
,
2003,
Lecture Notes in Computer Science.
[8]
Sebastiaan H. von Solms,et al.
Information Security Management: An Approach to Combine Process Certification And Product Evaluation
,
2000,
Comput. Secur..
[9]
Suresh L. Konda,et al.
Taxonomy-Based Risk Identification
,
1993
.
[10]
Robert O. Briggs,et al.
EasyWinWin: managing complexity in requirements negotiation with GSS
,
2002,
Proceedings of the 35th Annual Hawaii International Conference on System Sciences.
[11]
Michael M. May,et al.
How much is enough? A risk management approach to computer security
,
2000
.
[12]
Victor R. Basili,et al.
Empirical Evaluation of a Risk Management Method
,
1997
.
[13]
Howard Raiffa,et al.
Applied Statistical Decision Theory.
,
1961
.
[14]
Christine Strauss,et al.
Multiobjective Decision Support in IT-Risk Management
,
2002,
Int. J. Inf. Technol. Decis. Mak..
[15]
Stefan Biffl,et al.
Tool support for a risk management process - an empirical study on effectiveness and efficiency
,
2004,
IASTED Conf. on Software Engineering.
[16]
Jyrki Kontio,et al.
The Riskit Method for Software Risk Management, version 1.00
,
1997
.
[17]
Robert N. Charette,et al.
Software Engineering Risk Analysis and Management
,
1989
.