Determining the Value of Information Security Investments - A Decision Support System

Hannah Louise Davies, Andrew J. C. Blyth

2014

Abstract

Advances in the technological era are making information security breaches a more common occurrence. A vital part of ensuring an organisation is well protected from these increasingly complex threats is a suitable security solution. Suitability of a security solution should not only be measured in terms of goals such as reducing down time or reducing the risk of a certain threat, but also meet stakeholder and executive goals in terms of being cost effective. Currently, cost effective is determined by calculating a return on security investment calculation, where the cost of a solution is evaluated against any savings resulting after purchasing the solution to determine whether the option is viable. The current implementation of return on security investment calculations however is often subjective and inaccurate as calculations are performed in an ad-hoc manner. When there are multiple factors to consider, with uncertain or incomplete values available, a multi-attribute decision making method that utilises uncertainty is required in order to allow the decision maker to assess all possible options in the most logical and objective manner, whilst keeping in mind the goals of the organisation. In this paper we present and evaluate a conceptual, analytical framework that, with the use of multi-attribute utility theory under uncertainty, is able to model return on security investment calculations in a novel way. This new calculation is introduced as a Value of Information Security Investment calculation. The final goal is to create a framework that allows for repeatable, predictable and mature, calculations that determine the value of an information security investment.

References

  1. Al-Humaigani, M., and D.B. Dunn. 2003. “A Model of Return on Investment for Information Systems Security.” In Circuits and Systems, 2003 IEEE 46th Midwest Symposium on, 1:483 -485 Vol. 1. doi:10.1109/MWSCAS.2003.1562323.
  2. Arora, Ashish, Steven Frank, and Rahul Telang. 2008. “Estimating Benefits from Investing in Secure Software Development.” Build Security In.
  3. Beautement, A., et al., 2009. “Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security.” In Managing Information Risk and the Economics of Security, edited by M. Eric Johnson, 141-63. Springer US.
  4. Belton, Valerie, and Theodor J. Stewart. 2002. Multiple Criteria Decision Analysis: An Integrated Approach. Springer.
  5. Beres, Yolanta, David Pym, and Simon Shiu. 2010. “Decision Support for Systems Security Investment.” Manuscript, HP Labs.
  6. European Network and Information Security Agency (ENISA). 2012. “Introduction to Return on Security Investment?: Helping CERTs Assessing the Cost of (lack Of) Security.”
  7. Fülöp, János. 2005. Introduction to Decision Making Methods. Laboratory of Operations Research and Decision Systems. Computer and Automation Institute, Hungarian Academy of Sciences.
  8. Gordon, Lawrence A., and Martin P. Loeb. 2002. “The Economics of Information Security Investment.” ACM Trans. Inf. Syst. Secur. 5 (4): 438-57. doi:10.1145/581271.581274.
  9. Hausken, Kjell. 2006. “Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability.” Information Systems Frontiers 8 (5): 338-49. doi:10.1007/s10796-006- 9011-6.
  10. Holoman, Kathy, and Aaron Kuzmeskus. 2012. The Evolution of Return on Security Investment (ROSI). White Paper WP-SEC-SECURITY ROSI-A4.BU.N. EN.01.2012.0.01.CC. Schneider Electric.
  11. Howard, R.A. 1968. “The Foundations of Decision Analysis.” IEEE Transactions on Systems Science and Cybernetics 4 (3): 211 -219. doi:10.1109/TSSC.1968. 300115.
  12. Ioannidis, C. et al., 2009. “Investments and Trade-Offs in the Economics of Information Security.” In Financial Cryptography and Data Security, edited by Roger Dingledine and Philippe Golle, 148-66. Lecture Notes in Computer Science 5628. Springer Berlin Heidelberg.
  13. Keeney, Ralph L., and Howard Raïffa. 1976. Decisions with Multiple Objectives: Preferences and Value Tradeoffs. Wiley.
  14. Keeney, Ralph L, and Howard Raiffa. 1993. Decisions with Multiple Objectives?: Preferences and Value Tradeoffs. Cambridge [England]; New York, NY, USA: Cambridge University Press.
  15. Keeney, Ralph Lyons. 1975. Examining Corporate Policy Using Multiattribute Utility Analysis. IIASA.
  16. Korostoff, Kathryn. 2003. “The ROI of Network Security.” Network World. http://www.networkworld. com/techinsider/2003/0825techinsiderroi.html.
  17. Levy, Jason. 2005. “Multiple Criteria Decision Making and Decision Support Systems for Flood Risk Management.” Stochastic Environmental Research and Risk Assessment 19 (6): 438-47. doi:10.1007/ s00477-005-0009-2.
  18. Løken, Espen. 2007. “Use of Multicriteria Decision Analysis Methods for Energy Planning Problems.” Renewable and Sustainable Energy Reviews 11 (7): 1584-95. doi:10.1016/j.rser.2005.11.005.
  19. Pontes, Elvis, Adilson E., Anderson A. A. Silva, and Sergio T. 2011. “A Comprehensive Risk Management Framework for Approaching the Return on Security Investment (ROSI).” In Risk Management in Environment, Production and Economy, edited by Matteo Savino. InTech. http://www.intechopen.com/ books/risk-management-in-environment-productionand-economy/a-comprehensive-risk-managementframework-for-approaching-the-return-on-securityinvestment-rosi-.
  20. Pricewaterhouse Cooper. 2014. “2014 Information Security Breaches Survey.” PwC.
  21. Raïffa, Howard, and Robert Schlaifer. 1961. Applied Statistical Decision Theory. Division of Research, Graduate School of Business Adminitration, Harvard University.
  22. Rudolph, Manuel, and Reinhard Schwarz. 2012. “A Critical Survey of Security Indicator Approaches.” In 2012 Seventh International Conference on Availability, Reliability and Security (ARES), 291 - 300. doi:10.1109/ARES.2012.10.
  23. Shah., N.H., R.M. Gor, and H. Soni. 2007. Operations Research. PHI Learning Pvt. Ltd.
  24. Sonnenreich, W. 2006. “Return on Security Investment (ROSI): A Practical Quantitative Model.” Journal of Research and Practice in Information Technology 38 (1).
  25. Von Neumann, J, and O Morgenstern. 1947. Theory of Games and Linear Programming. 2nd Edition. New York: Wiley.
  26. Yin, Robert K. 2009. Case Study Research: Design and Methods. 4th ed. Applied Social Research Methods, v. 5. Los Angeles, Calif: Sage Publications.
  27. Yoon, K. Paul, and Ching-Lai Hwang. 1995. Multiple Attribute Decision Making: An Introduction. SAGE.
  28. Zeleny, Milan. 1982. Multiple Criteria Decision Making. New York [etc.]: McGraw-Hill.
  29. Zhang, Jin-Ping, and Shou-Mei Li. 2005. “Portfolio Selection With Quadratic Utility Function Under Fuzzy Environment.” In Proceedings of 2005 International Conference on Machine Learning and Cybernetics August 18-21, 2005, Ramada Hotel, Guangzhou, China, 2529-33. Piscataway, NJ: IEEE.
Download


Paper Citation


in Harvard Style

Louise Davies H. and J. C. Blyth A. (2014). Determining the Value of Information Security Investments - A Decision Support System . In Proceedings of the International Conference on Knowledge Management and Information Sharing - Volume 1: KMIS, (IC3K 2014) ISBN 978-989-758-050-5, pages 426-433. DOI: 10.5220/0005170704260433


in Bibtex Style

@conference{kmis14,
author={Hannah Louise Davies and Andrew J. C. Blyth},
title={Determining the Value of Information Security Investments - A Decision Support System},
booktitle={Proceedings of the International Conference on Knowledge Management and Information Sharing - Volume 1: KMIS, (IC3K 2014)},
year={2014},
pages={426-433},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005170704260433},
isbn={978-989-758-050-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Knowledge Management and Information Sharing - Volume 1: KMIS, (IC3K 2014)
TI - Determining the Value of Information Security Investments - A Decision Support System
SN - 978-989-758-050-5
AU - Louise Davies H.
AU - J. C. Blyth A.
PY - 2014
SP - 426
EP - 433
DO - 10.5220/0005170704260433