Information Security Research Paper: Traditional financial models utilized commonly in business today, such as Net Present Value (NPV), Internal Rate of Return (IRR) and Return on Investment (ROI) tend to break down, and become less effective, when it comes to Information Security.
This is due, in part, to the function of security, as well as, difficulties quantifying expected loss (cost) and a lack of positive cash flows. To address this, I reviewed the current literature and present several models to help further the Information Security Manager. (Part of Ongoing Research)
Literature Review (Review of Related Literature - Research Methodology)Dilip Barad
Literature Review or Review of Related Literature is one of the most vital stages in any research. This presentation attempts to throw some light on the process and important aspects of literature review.
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...ijsptm
Today business environment is highly dependent on complex technologies, and information is considered
an important asset. Organizations are therefore required to protect their information infrastructure and
follow an inclusive risk management approach. One way to achieve this is by aligning the information
security investment decisions with respect to organizational strategy. A large number of information
security investment models have are in the literature. These models are useful for optimal and cost-effective
investments in information security. However, it is extremely challenging for a decision maker to select one
or combination of several models to decide on investments in information security controls. We propose a
framework to simplify the task of selecting information security investment model(s). The proposed
framework follows the “Context, Content, Process” approach, and this approach is useful in evaluation
and prioritization of investments in information security controls in alignment with the overall
organizational strategy.
Literature Review (Review of Related Literature - Research Methodology)Dilip Barad
Literature Review or Review of Related Literature is one of the most vital stages in any research. This presentation attempts to throw some light on the process and important aspects of literature review.
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...ijsptm
Today business environment is highly dependent on complex technologies, and information is considered
an important asset. Organizations are therefore required to protect their information infrastructure and
follow an inclusive risk management approach. One way to achieve this is by aligning the information
security investment decisions with respect to organizational strategy. A large number of information
security investment models have are in the literature. These models are useful for optimal and cost-effective
investments in information security. However, it is extremely challenging for a decision maker to select one
or combination of several models to decide on investments in information security controls. We propose a
framework to simplify the task of selecting information security investment model(s). The proposed
framework follows the “Context, Content, Process” approach, and this approach is useful in evaluation
and prioritization of investments in information security controls in alignment with the overall
organizational strategy.
Five principles for improving your cyber securityWGroup
Corporate assets have been shifting from physical assets to virtual assets over the past 20 years. This trend has been accompanied by a corresponding increase in the vulnerability of intangible assets, leading to a greater general awareness of corporate cyber security risks. The alteration or destruction of a company’s data can result in harm to reputation, loss of public confidence, disruption to infrastructure, and legal sanctions. The security risk can adversely impact a company’s stock price and competitive position in the marketplace. In this document, WGroup cites 5 principles that will help improve a business's cyber security. The 5 principles are risk identification, risk management, legal implications, technical expertise, and expectations.
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Quantifies in dollars, the cyber risk for an enterprise, based upon historical industry data and rigorous statistical models.
Risk is calculated for custodial data (PII, PFI, CHD & PHI), based upon a peer company of the same size and industry, with the same value at risk.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
Contents lists available at ScienceDirectJournal of AccounAlleneMcclendon878
Contents lists available at ScienceDirect
Journal of Accounting and Public Policy
journal homepage: www.elsevier.com/locate/jaccpubpol
Full length article
Cybersecurity insurance and risk-sharing
Lawrence D. Bodina, Lawrence A. Gordonb, Martin P. Loebb,⁎, Aluna Wangc
a Emeritus Professor of Management Science, Robert H. Smith School of Business, University of Maryland, College Park, MD 20742-1815, USA
b Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD 20742-1815, USA
c Tepper School of Business, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15217, USA
A R T I C L E I N F O
Keywords:
Cybersecurity insurance
Cybersecurity risk management
A B S T R A C T
In today’s interconnected digital world, cybersecurity risks and resulting breaches are a funda-
mental concern to organizations and public policy setters. Accounting firms, as well as other
firms providing risk advisory services, are concerned about their clients’ potential and actual
breaches. Organizations cannot, however, eliminate all cybersecurity risks so as to achieve 100%
security. Furthermore, at some point additional cybersecurity measures become more costly than
the benefits from the incremental security. Thus, those responsible for preventing cybersecurity
breaches within their organizations, as well as those providing risk advisory services to those
organizations, need to think in terms of the cost-benefit aspects of cybersecurity investments.
Besides investing in activities that prevent or mitigate the negative effects of cybersecurity
breaches, organizations can invest in cybersecurity insurance as means of transferring some of
the cybersecurity risks associated with potential future breaches.
This paper provides a model for selecting the optimal set of cybersecurity insurance policies by
a firm, given a finite number of policies being offered by one or more insurance companies. The
optimal set of policies for the firm determined by this selection model can (and often does)
contain at least three areas of possible losses not covered by the selected policies (called the Non-
Coverage areas in this paper). By considering sets of insurance policies with three or more Non-
Coverage areas, we show that a firm is often better able to address the frequently cited problems
of high deductibles and low ceilings common in today’s cybersecurity insurance marketplace.
Our selection model facilitates improved risk-sharing among cybersecurity insurance purchasers
and sellers. As such, our model provides a basis for a more efficient cybersecurity insurance
marketplace than currently exists. Our model is developed from the perspective of a firm pur-
chasing the insurance policies (or the risk advisors guiding the firm) and assumes the firm’s
objective in purchasing cybersecurity insurance is to minimize the sum of the costs of the pre-
miums associated with the cybersecurity insurance policies selected and ...
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
Information Security Survey in Czech Republic 2007Rastislav Turek
It seems hard to believe, but the 2007 Czech Republic information security survey is already the fifth such
survey to be performed. The survey has been mapping the situation and developments in information security
since 1999, which is quite a long time in a field like this and has unquestionably influenced the survey results
and structure. Some survey questions have already lost their sense, and we have let them retire.
On the other hand, the IS/IT community is struggling with new challenges that the survey is trying to map and
monitor – for example, the advent of SPAM, outsourcing or new security standards.
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
Five principles for improving your cyber securityWGroup
Corporate assets have been shifting from physical assets to virtual assets over the past 20 years. This trend has been accompanied by a corresponding increase in the vulnerability of intangible assets, leading to a greater general awareness of corporate cyber security risks. The alteration or destruction of a company’s data can result in harm to reputation, loss of public confidence, disruption to infrastructure, and legal sanctions. The security risk can adversely impact a company’s stock price and competitive position in the marketplace. In this document, WGroup cites 5 principles that will help improve a business's cyber security. The 5 principles are risk identification, risk management, legal implications, technical expertise, and expectations.
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Quantifies in dollars, the cyber risk for an enterprise, based upon historical industry data and rigorous statistical models.
Risk is calculated for custodial data (PII, PFI, CHD & PHI), based upon a peer company of the same size and industry, with the same value at risk.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
Contents lists available at ScienceDirectJournal of AccounAlleneMcclendon878
Contents lists available at ScienceDirect
Journal of Accounting and Public Policy
journal homepage: www.elsevier.com/locate/jaccpubpol
Full length article
Cybersecurity insurance and risk-sharing
Lawrence D. Bodina, Lawrence A. Gordonb, Martin P. Loebb,⁎, Aluna Wangc
a Emeritus Professor of Management Science, Robert H. Smith School of Business, University of Maryland, College Park, MD 20742-1815, USA
b Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD 20742-1815, USA
c Tepper School of Business, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15217, USA
A R T I C L E I N F O
Keywords:
Cybersecurity insurance
Cybersecurity risk management
A B S T R A C T
In today’s interconnected digital world, cybersecurity risks and resulting breaches are a funda-
mental concern to organizations and public policy setters. Accounting firms, as well as other
firms providing risk advisory services, are concerned about their clients’ potential and actual
breaches. Organizations cannot, however, eliminate all cybersecurity risks so as to achieve 100%
security. Furthermore, at some point additional cybersecurity measures become more costly than
the benefits from the incremental security. Thus, those responsible for preventing cybersecurity
breaches within their organizations, as well as those providing risk advisory services to those
organizations, need to think in terms of the cost-benefit aspects of cybersecurity investments.
Besides investing in activities that prevent or mitigate the negative effects of cybersecurity
breaches, organizations can invest in cybersecurity insurance as means of transferring some of
the cybersecurity risks associated with potential future breaches.
This paper provides a model for selecting the optimal set of cybersecurity insurance policies by
a firm, given a finite number of policies being offered by one or more insurance companies. The
optimal set of policies for the firm determined by this selection model can (and often does)
contain at least three areas of possible losses not covered by the selected policies (called the Non-
Coverage areas in this paper). By considering sets of insurance policies with three or more Non-
Coverage areas, we show that a firm is often better able to address the frequently cited problems
of high deductibles and low ceilings common in today’s cybersecurity insurance marketplace.
Our selection model facilitates improved risk-sharing among cybersecurity insurance purchasers
and sellers. As such, our model provides a basis for a more efficient cybersecurity insurance
marketplace than currently exists. Our model is developed from the perspective of a firm pur-
chasing the insurance policies (or the risk advisors guiding the firm) and assumes the firm’s
objective in purchasing cybersecurity insurance is to minimize the sum of the costs of the pre-
miums associated with the cybersecurity insurance policies selected and ...
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
Information Security Survey in Czech Republic 2007Rastislav Turek
It seems hard to believe, but the 2007 Czech Republic information security survey is already the fifth such
survey to be performed. The survey has been mapping the situation and developments in information security
since 1999, which is quite a long time in a field like this and has unquestionably influenced the survey results
and structure. Some survey questions have already lost their sense, and we have let them retire.
On the other hand, the IS/IT community is struggling with new challenges that the survey is trying to map and
monitor – for example, the advent of SPAM, outsourcing or new security standards.
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...NelTorrente
In this research, it concludes that while the readiness of teachers in Caloocan City to implement the MATATAG Curriculum is generally positive, targeted efforts in professional development, resource distribution, support networks, and comprehensive preparation can address the existing gaps and ensure successful curriculum implementation.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
2. Page 1 of 10
Abstract
This research conducts a systematic review of the literature to address the pressing need of
Information Security Managers to create a persuasive business case when evaluating
investments within Information Security. To date, there is yet to be a consensus within
academia, and practioners, on a “best practice” model or standard.
As such, business managers find themselves relying upon traditional financial models that fail to
translate to Information Security due, in part, to the function of security and the difficulty in
assessing the probabilities of expected loss.
Given this, when considering investing within Information Security, managers may over or
under invest leading to wastefulness of corporate resources and potentially a drop in share
price. To address this, we reviewed the literature to show four models that may help to serve
the needs of the investing executive within the firm.
Introduction
Research is abundant, with respect to Information Security, when it comes to technology (ie;
encryption, access controls, etc). However, the same cannot be said about the financial or
economic value of investments within Information Security in organizations. Although the
literature is increasing, traditional financial models utilized by business managers to make
investment decisions, such as Net Present Value or IRR, break down or do not easily translate
when applied to Information Security. (Bashroush, 2016)
In a general sense, managers look at the present value of future cash flows to determine if an
investment brings value to the organization and shareholders. However, investment decisions
within Information Security rarely, if ever, provide positive cash flows, resulting in a negative
NPV or a grotesque hurdle rate (IRR).
Indeed, the lack of a tangible return on investment, is due to the function of Information
Security. That is, investments in security aim to reduce or mitigate the risk of an expected loss
(costs) to valuable information within an organization. Security is at its best, when nothing
happens. Therefore, the more successful an Information Security strategy behaves, the more
difficult it is to measure the tangible benefits. (Bashroush, 2016)
Moreover, most currently available models addressing investment decisions, rely heavily on
qualitative data, or expert opinion, within an ordinal scale to subjectively discern the expected
loss of an attack, and the uncertainty or probability of one occurring. Such methods, open the
door to cognitive bias and therefore, inevitably distort the intended findings.
3. Page 2 of 10
The result, is a lack of understanding by most decision-makers, when it comes to adequate
Information Security, leading to over or under investment within the organization. Needlessly
wasting constrained, scarce resources, which could result in a reduced share price.
To address this issue, a survey of the available literature was conducted with the intent to
provide guidance to both business managers and Information Security practitioners alike, by
offering an overview of the latest research. While certainly not exhaustive, the following
financial models attempt to provide a framework with which business managers can augment
qualitative data with quantitative data to improve upon the decision-making process.
Research Method
While pursuing the objectives of this study, a systematic review of the given literature was
initiated through Google Scholar, EBSCO Host, Proquest, Elsevier, Science Direct, Springer and
IEEE Xplore. The chosen keywords were as follows:
Filtering of the results was then applied. I restricted the results of the research from 2000 to
2016.The following evaluation criteria was then considered.
Benefits: Costs: (con’t) Output: (con’t)
- Financial - Opportunity - Quantitative
- Non-Financial - Sunk Budget Type:
Costs: Input: - Constrained
- Recurring - Qualitative - Unconstrained
- Non-Recurring - Quantitative Investment Approach:
- Variable Output: - One Time Investment
- Fixed - Qualitative - Split Investment
Research Findings
While the topic of investment strategies within Information Security has gained increasing
attention within the last several years, there is yet to be an agreed upon consensus concerning
which method is best. Therefore, based on the literature, we look at several different
quantitative models currently available. Those models include: Gordon-Loeb Model,
Sonnerreich Model, Cremonini Model and the Bojanc, Blazic and Tekavcic Model.
Keywords: Information Security, Investment, Framework, Cybersecurity, Return on Security
Investment, Return on Attack, Economics, InfoSec, Budget Constraints, Constrained
Optimization, Investment Models, Return on Investment, Net Present Value, IRR
4. Page 3 of 10
Gordon-Loeb Model
In their seminal work, Gordon and Loeb, arguably the most recognized scholars with respect to
information security investment analysis, or more accurately, information security economics,
determine the optimal amount to invest in a security measure to mitigate a vulnerability.
Their research shows that “for a given potential expected loss, a firm should not necessarily
focus its investments on information sets with the highest vulnerability. Since extremely
vulnerable information sets may be inordinately expensive to protect, a firm may be better off
concentrating its efforts on information sets with mid-range vulnerabilities.” (Loeb, 2002)
The model is predicated on the following assumptions:
“A1. S(z,0)=0 for all of z - That is, if the information set is completely invulnerable then it will
remain perfectly protected for any amount of information security investment, including a zero
investment.
A2. For all v, S(0,v)=v – That is, if there is no investment in information security, the probability
of a security breach, conditioned on the realization of a threat, is the information set’s inherent
vulnerability.
A3. For all v ϵ (0,1) and all z, Sz(z,v0) < 0 and Szz(z,v) > 0, where Sz denotes the partial derivative
with respect to z and Szz denotes the partial derivative of Sz with respect to z. That is, as the
investment in security increases, the information is made more secure, but at a decreasing rate.
A4. For all v ϵ (0,1), lim S9z,v) 0, as z ∞ - so by investing sufficiently in security, the
probability of a security breach, t times S(z,v) can be made arbitrarily close to zero. “ (Loeb,
2002)
Therefore, to the extent that the above assumptions are accurate, the literature shows that the
“expected net benefit is equal to the expected benefit minus the cost of investment reduction
in expected loss due to security.” (Loeb, 2002) That is to say that a rational investor, should only
invest up to the point where the marginal benefit equals the marginal cost.
It further goes on to show that when vulnerabilities are factored in, the maximum or optimal
amount that should be spent equals 37% of the expected loss that would be present should one
not invest in the particular security measure, given “two broad classes of information security
breach probability functions.” (Loeb, 2002)
Finally, while the optimum level shown in the research should not exceed 37 percent, it needs
to be noted that the Gordon-Loeb model predicates their findings upon the assumption that
only two probability distributions exist. Given this, the model begs the question, of whether or
not more than 2 probability distributions exist in nature, and therefore, do not efficiently model
the level of security needed in the “wild.”
5. Page 4 of 10
Furthermore, in order to draw their conclusions, Gordon and Loeb, assumed that fixed cost
within Information Security equals zero. An assumption that invites criticism, considering that
fixed costs can be defined as “expenses that remain (must be paid) unchanged as the volume of
activity (productivity) changes. (Lanen, 2011)
Sonnenreich Model
In 2005, writing in the Journal of Research and Practice in Information Technology,
Sonnenreich, Albanese and Stout, produced a model called the SecureMark system, or better
known as, the Return on Security Investment (ROSI). In their research, the authors describe the
model mathematically as follows: (Sonnerrich, 2006)
ROSI = (Risk Exposure * Risk Mitigated) – Solution Cost
Solution Cost
As stated earlier, measuring expected return within Information Security, is difficult at best or
glorified guesswork at worst. The ROSI model seeks to address this by replacing Expected
Returns, within a classic Return on Investment (ROI) calculation with (Risk Exposure*Risk
Mitigated) within ROSI. To quantify risk exposure, the model looks at “Annual Loss Exposure
(ALE) which multiplies the projected cost of a security incident (Single Loss Exposure – SLE) with
its estimated annual rate of occurrence (ARO).” (Sonnerrich, 2006)
𝑅𝑖𝑠𝑘 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 = 𝐴𝐿𝐸 = 𝑆𝐿𝐸 ∗ 𝐴𝑅𝑂
Measuring risk exposure, while relatively simple in mathematical terms, becomes extremely
difficult in practice. The reasons for this are many. However, differing accounting methods,
varying measurements of data loss within different industries and miscalculations of data such
as downtime and opportunity costs give examples of a few. Ideally, actuarial data should be
used to measure risk exposure. Unfortunately, with respect to Information Security, this data is
in its early stages and does not have a lot of voracity behind it.
Quantifying risk mitigated is no less precarious than measuring risk exposure above. As stated
earlier, Information Security is at its best when nothing occurs. As such, how do you measure a
loss that is prevented? For example, “a company’s intrusion detection systemmight show that
there were 10 successful break-ins last year, but only five this year. Was it due to the new
6. Page 5 of 10
security device the company bought, or was it because five less hackers attacked the network?”
(Sonnerrich, 2006)
As we have seen, while the model attempts to quantify an investment in Information Security’s
return on income, differing organizational corporate structures pose problems in standardizing,
or arriving at a consensus, with respect to the models outcomes. Moreover, should an
organization make investments in security over a given time frame, the ROSI model ignores the
time value of money, while also disregarding opportunity cost and real options. All three of
which can impact a bottom line.
Cremonini and Martini Model
As a derivative of Return on Investment (ROI), the Cremonini Model, argues that while ROI
allows a prospective manager to assess whether or not a particular investment will yield a
positive return. Return on investment, as a criteria alone, does not allow one to accurately
compare two mutually exclusive projects both yielding a positive ROI. In part, this is due
because ROI fails to measure the “disadvantages that differing security measures provide to the
attackers.” That is, that ROI alone, cannot capture the efficacy of the two security measures
being compared. (Martini, 2005)
To address this, and attempt to seize upon a security measures efficacy, Cremonini and Martini,
introduced Return on Attack (ROA). The ROA is an “index which reflects the average and
supposed impact of a security solution on an attacker’s behavior.” The goal of which is to
improve upon the commonly used ROI measure, by identifying (through ROA) the security
measure that most discourages the attacker from initiating an attack. (Martini, 2005)
Return on Attack is then, further mathematically stated and represented as follows: (where S=
security measure.) (Martini, 2005)
𝑅𝑂𝐴 = 𝑔𝑎𝑖𝑛 𝑓𝑟𝑜𝑚 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑓𝑢𝑙 𝑎𝑡𝑡𝑎𝑐𝑘
𝑐𝑜𝑠𝑡 𝑏𝑒𝑓𝑜𝑟𝑒 𝑆 + 𝑙𝑜𝑠𝑠 𝑐𝑎𝑢𝑠𝑒𝑑 𝑏𝑦 𝑆
An additional benefit of ROA, as noted in the literature, is its ability to quantify “modifications
in the environment”. That is to say, how the initial ROI calculation, given a particular security
solution, at time T, changes with respect to modifications in the environment at time T1. It can
be shown that the ROI, of a given investment, changes with the passage of time and
environmental alterations. However, ROI as a metric alone, cannot capture these changes and
assumes a constant relationship. (Martini, 2005)
7. Page 6 of 10
Therefore, an investments value to the organization can change over time, to the point that it is
no longer an attractive proposition. Moreover, traditional financial models fail to realize these
iterations, leading to miscalculations when deciding on a projects investment. Although despite
the above referenced value-added gains, ROA as a metric, does have drawbacks.
Those include a lack of consideration for investments over time, with respect to the output of
Return on Investment. That is, where ROA may capture depreciation in the efficacy of a security
measure over time, there is no consideration given to an investment approach that occurs over
time. Such that the time value of money is recognized. Additionally, as with other models, no
mention of budget constraints are given. It is therefore reasoned that the model assumes an
un-constrained budget. At best, an impractical assumption given a typical organization.
Bojanc-Blazic and Tekavcic Model
The Bojanc-Blazic and Tekavcic Model was found in two differing journals, both of which were
published in November of 2012. The outputs are measured in Return on Investment (ROI), Net
Present Value (NPV) and Internal Rate of Return (IRR). All of which should be easily understood
by the business manager, accelerating the project investment decision time. While focusing on
the quantification of security risks, the model also seeks “to find an optimal level and selection
of the security technology investment.” (Bojanc J.-B. , 2012)
With considerable more inputs, the model is intended to serve as a procedure, a “guideline”
leading the organization from initial input to the final recommendation. It begins by attempting
to quantify the risk assessment, where the goal is to “determine and evaluate every
vulnerability as based on business processes, supported by information assets.” (Bojanc J.-B. ,
2012)
The risk assessment is defined as follows, where the model attempts to quantify the complex
relationships between risk, vulnerabilities, threats and security measures for every information
asset that is a part of the defined business process listed above. (Bojanc J.-B. T., 2012, pp. 1031-
1052)
𝑅 = 𝑇 · 𝑣𝛼𝑝𝐶𝑝 + 1[𝐿1 · 𝑡𝑟0 · 𝑒 − 𝛼𝑐𝐶𝑐 + 𝐿2 · 𝑡𝑑0 · 𝑒 − 𝛼𝑑𝐶𝑑 + 𝐿3 − 𝐼]
Next the Bojanc, Blazic and Tekavcic Model seeks to determine the optimal amount that should
be invested by an organization to secure the organization’s information assets. In doing so, it
attempts to combine the uncertainty surrounding the organizations threats, vulnerabilities, the
consequences of an attack and the efficiency measures currently in place. The objective is to
invest in information security up to the point where the marginal benefit equals the marginal
cost. That is to say, where the benefit of an additional unit of security equals the cost an
additional unit of security. (Bojanc J.-B. T., 2012)
8. Page 7 of 10
The model attempts to conduct a cost/benefit analysis. However, as mentioned in the previous
models, while the costs can be fairly straightforward to calculate. The organizational benefits,
on the other hand, can prove to be rather difficult. The benefits gained due to the investment
are nonetheless quantified as follows: (Bojanc J.-B. T., 2012)
B = R0 − R(C)− δ + μ
Where R0 is the security risk prior to a security measure, R(C) is the risk valued after the
security measure is implemented, δ measures the negative consequences that are brought
about by conducting the security measure. That is, for example, a loss of some user
functionality, downtime or loss of productivity in general. Finally, μ measures the indirect
positive effect of a security measure. (Bojanc J.-B. T., 2012)
To close, the model addresses the economic value produced by the investment in the particular
security measure. As mentioned prior in this section, the Bojanc, Blazic and Tekavcic model
allows for comparison between three traditional business metrics utilized when assessing the
voracity of an investment. Those are Net Present Value (NPV), Return on Investment (ROI) and
Internal Rate of Return (IRR).
When evaluating mutually exclusive projects, it is advised in the literature, to base your
determination on the organizational scenario while evaluating all three. This is due in part,
because the different metrics can point to different optimal solutions. For example, if a
manager was attempting to determine the value of an investment over time, then NPV would
be the recommended criteria, as it factors in the time value of money. (Bojanc J.-B. T., 2012)
The choice should be the investment that produces the highest NPV, ROI and IRR. However,
frequently, the three economic metrics will produce three different criteria. That is to say, in
any particular analysis, ROI may point to one investment, while NPV and IRR point to others. In
these cases, the literature addresses the reader to conduct a comparative analysis. The
analytical formula for conducting a comparative analysis within ROI is as follows: (The formulas
for NPV and IRR are similar) (Bojanc J.-B. , 2012)
𝑅𝑂𝐼 = 𝑇 · 𝑣(1 − 𝑣𝛼𝑝𝐶𝑝)· 𝐿 − 𝛿 + 𝜇 − 𝐶𝑝
𝐶𝑝
(Summary of findings on next page)
9. Page 8 of 10
Summary of Findings
Evaluation Criteria Gordon-
Loeb
Sonnenreich Cremonini Bojanic
Costs:
- Fixed x ✔ ✔ ✔
- Variable ✔ ✔ ✔ ✔
- Opportunity x x x x
- Sunk x ✔ x x
- Recurring x x x x
- Non-Recurring ✔ ✔ ✔ ✔
Benefits:
- Financial ✔ ✔ ✔ ✔
- Non-Financial x x x ✔
Inputs:
- Quantitative ✔ ✔ ✔ ✔
- Qualitative x x x ✔
Outputs:
- Quantitative ✔ ✔ ✔ ✔
- Qualitative x x x x
Budget Type
- Constrained x x x x
- Unconstrained ✔ ✔ ✔ ✔
Investment Approach
- One time Invest. ✔ ✔ ✔ ✔
- Split Invest x x x ✔
Conclusions
In conclusion, my research conducted a systematic review of the literature to address the
question of appropriate financial analysis utilized by business managers when considering
investing in Information Security. While not exhaustive, it shows that there is yet to be a
consensus in academia upon a standardized methodology to make investment related decisions
with respect to Information Security.
10. Page 9 of 10
The function of security to mitigate loss exposure, as well as, the difficulty in accurately
assessing the probabilities of loss, lead to the break-down of traditional financial formulas
utilized in business investment decision-making. My research shows four models that can begin
to address the needs of the business manager.
While the research was not exhaustive, limited in part, by search constraints and scope, the
evaluation criteria was decided upon to give a broad sense of current models proposed in the
available literature. Additionally, each model certainly contains its own weaknesses. For
example, some models take into consideration an attackers point of view, while others look
only at a static or one-time investment.
However, I was unable to find any information that precludes a decision-maker from extracting
parts of one model to include in others. That is to say, that if a business manager is needing to
invest over time, NPV may be an appropriate measure. However, he may also wish to add to
that ROA to better refine his decision making.
Future research, into the topic, is to include an expansion of this beginning body of evidence,
while seeking to understand the impact of other domains, such as Game Theory, to better
understand how Return on Attack or ROA may help future InfoSec managers investment
analysis.
11. Page 10 of 10
References
Bashroush,S.a. (2016). EconomicEvaluationforInformationSecurityInvestment:A systematic
literature review. Information SystemsFrontiers,1-24.
Bojanc,J.-B.(2012). Quantitative Model forEconomicAnalysesof Information SecurityInvestmentinan
Enterprise InformationSystem. Organizacija - Volume45, 12.
Bojanc,J.-B.T. (2012). Managingthe InvestmentinInformationSecurityTechnologybyuse of a
Quantitative Modeling. Information Processing and Management,21.
Lanen, A.M. (2011). Fundamentalsof CostAccounting. McGraw Hill.
Loeb,G. a. (2002). The Economicsof InformationSecurityInvestment. ACMTransactionson Information
SystemSecurity,438-457.
Martini,C. a. (2005). Evaluatinginformationsecurityinvestmentsfromattackers,perspective:The
Returnon Attack(ROA). Proceedingsof thefourth workshop on theeconomicsof security.
Pandey.(2015). "Contex,Content,Process"ApproachtoAlignInformationSecurityInvestmentsWith
Overall Organizational Strategy. InternationalJournalof Security,Privacy and Trust
Management,25-38.
Sonnerrich,A.S.(2006). ReturnonSecurityInvestment - A Practical Quantitiative Model. Journalof
Research and Practice in Information Technology,45-56.