رویکرد مدل سازی اقتصادی به مدیریت ریسک امنیت اطلاعات

This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided.

The Internet evolution is one of the greatest innovations of the twentieth century and has changed lives of individuals and business organizations. Sharing of information, e-commerce and unified communication are some typical main benefits of using the Internet. Trends like globalization, higher productivity and reducing the costs make business organizations increasingly dependent on their information systems and the Internet services. Potential attacks on the information systems and eventual crash may cause heavy losses on data, services and business operation. Security risks are present in the organization's information system due to technical failures, system vulnerabilities, human failures, fraud or external events. This is the main reason why organizations are investing in information security systems, which are designed to protect the confidentiality, integrity and availability of information assets. Due to the rising awareness regarding the potential risks of attacks and breaches, the investments in information security are increasing and are taking different approaches depending on the area of applications. Although security technologies have made great progress in the last 10 years, the security level of computers and networks has never been considerably improved (Schneier, 2004; Whitman, 2003). Almost a decade ago, a number of researchers began to realize that information security is not a problem that only technology can solve and tried to include also an economic point of view. This approach enables business managers’ better understanding of security investments, because the importance of security failure is presented through economical losses instead of technical analysis. This is the reason why security-aware organizations are shifting the focus on the prevention of possible failures from what is technically possible to what is economically optimal (Anderson, 2001; Anderson & Schneier, 2005; Schneier, 2004). When looking on information security system from economics point of view, economics can actually provide answers to many questions where just technical explanation has no satisfying answer: how does an organization become secure in its IT-based operation? Which security level is adequate? How much money should be invested in security? Business organizations try to solve these questions in terms of risk management. Information security risk management is the overall process which integrates the identification and analysis of risks to which the organization is exposed, the assessment of potential impacts on the business, and deciding what action can be taken to eliminate or reduce risk to acceptable level (NIST, 2002). It requires a comprehensive identification and evaluation of the organization's information assets, consequences of security incidents, likelihoods of successful attack to the ICT systems, and business costs and benefits of security investments (Hoo, 2000). Standards and guidelines are available for information security management, such as the ISO 27000 series and NIST publications (ISO, 2005; NIST, 2008). Security risk management applied by an organization usually consists of: 1. identification of the business assets; 2. threats identification and damage assessment that may be caused by successful attack; 3. security vulnerabilities of the systems that the attack may exploit; 4. security risk assessment; 5. measures to minimize the risk with implementation of appropriate controls; 6. monitoring the effectiveness of implemented controls. This paper proposes a standard approach towards assessment of the required ICT security investment and data protection. In the approach proposed, the assets, the threats and the vulnerabilities of the ICT systems are identified first through a security risk analysis; then a method for quantification of the necessary investment in security provision is described. The paper ends with discussion of the applicability of the approach for enterprise security risk, an external insurance based on the quantified risk analyses.

Information security risk management is a fundamental concern to all organizations. This paper presents the analysis of the problem associated with determining investment in information security. The outcome of the analysis resulted in a recommendation that could evolve in a standardized approach. The approach starts with the methodical system used in the risk management process, which enables identification of the assets. This provides good understanding of why and what should be protected in a particular organization. The threat analysis provides information about the threats and with what an organization is to confront in the global business processes. The combination of these approaches enables good understanding of the security information protection that may have an impact on the on-going business. In addition to that, the vulnerability analysis shows where and how the threat could occur. By the combination of the identified vulnerabilities and the respective controls that mitigate the risk, the probability of occurrence of the threat can be estimated. After the risk is defined, the financial metrics to evaluate the security investments to mitigate risk can be applied. So far, no standard model for determining the financial risk associated with security incidents exists and the recommendation is for the use of several indexes, combined or modified, due to the circumstances of particular cases as the methods for figuring out the cost of solutions can vary greatly. Some include hardware, software and service costs, while others factor in internal costs, including indirect overhead, and long-term impacts on the productivity. Each of the indexes presented in this paper (ROI, NPV and IRR) have their benefits, but each of them used individually does not present an appropriate solution. Therefore, the best way to assess the required investment is the use of a combination of these methods.