Security Decisions are Investment Decisions
- Estimating payoff is difficult (non-linear, interactions)
- Redundancy as an example
Greater security investments do not necessarily translate to improvements in information security and smaller likelihoods of security breaches
Return on Security Investment RoSI
RoSI indicates the relationship between costs and benefits of a security investment and thus shows if or when information security investments lead to a Return on Investment (RoI)
R Recovery costs
S Savings
T Tools
ALE Annual Loss Expenditure (residual costs after investment)
ALE = R - S + T
RoSI = R - ALE
R-(R-S+T) = RoSI
RoSI = S - T
relies on precise monetary values therefore problematic
Effectiveness of Security Investments
Paradox: organizations allocate increasingly higher budgets for IT security but, at the same time, data breach incidents have become more frequent and severe,
Hypothesis: organization vary with respect to ho well they integrate security into their practices. Symbolic and substantive investment reflects the degree to which an organization’s activities are correctly reflected in the signals they communicate.
symbolic inv. :
-Window dressing (signaling compliance)
-But no real technical benefit as the main goal)
- e.g. investing in an outdated security technology
I
v
Ineffective in preventing data breaches
substantive investment
-Communicated signals represent adopted practices
-benefits from technology as the main goal
-e.g. full integration of a security technology into the entire IT landscape
I
v
Effective In preventing data breaches
Effectiveness of Security Investments
Kwon and Johnson distinguish between
proactive and reactive security investments
Proactive:
- Made before an incident occurs
- Active investment decision: how and where to invest
Reactive Investment
- After an incident has occurred
- Past oriented investment depending on the incident
their study shows that proactive investments are more effective, lead to fewer security failures and less severe breaches with less affected individuals than reactive investments
Information Security Outsourcing
comissioning a managed security service provider with information security protection
Benefits:
- cost savings
- focus on core business (Kodak) vs (Netflix)
- expertise from others
- increased flexibility (avoid fixcosts)
- follow the sun principle (minimize impact because 24H working)
Outsourcing risks
- Loss of expertise (people leave and hire new people without security knowledge)
- Increasing dependency on managed security service provider (More costly if one wants to switch)
- Distance (cultural distance, avoiding nos)
- Resistance among employees and labor law issues
- Multi client nature of the provider can lead to homogenization of security systems (one client’s security brach can spill over to other clients)
- shared liability, asymmetric information, and lack of control opportunities create double moral hazard problem (both sides fail to invest adequately in security because no-one wants to be responsible)
Cloud computing and Information security
is a model for enabling ubiquitous convenient on demand network access to a shared pool pf computing resources that can be rapidly provisioned and released with minimal management effort or. service provider interaction
three levels:
- SaaS (aplication software office 365)
- PaaS (Platform resources force.com)
- IaaS (AWS)
Pros and Cons of Cloud Computing
+
- > cost savings
- > speed of implementation
- > flexibility (Increase space for temporarily need)
- > automatic updates (provider takes care)
-
- > potential cloud related vulnerabilities (internet as channel of attack)
- > different legal jurisdiction (different jurisdiction)
- > subcontracting (giving up control over my data)
Risk assessment, safeguards, back ups, hq location, support, location of data storage, process of dealing with security breaches
