Abstract
This chapter aims at examining two main aspects in security project: cost estimation and investment assessment. The characteristics of security projects are stressed on and the importance of adopting management task is determined. In addition, the chapter examines the different cost estimation models developed for security project and discusses the technical and managerial factors affecting the cost estimation and the management of project. In addition, a review of research works directed toward security investment models is determined. In fact, most models have focused on determining the optimal security investment allocation based on budgetary aspect, economic, and financial constraints. Recent models are interested to examine more specific security features when assessing the required investment (e.g. system vulnerabilities, attacks type, risk factors, data privacy, and insurance). finally, the chapter discusses future directions that could be investigated to make available useful models for cost estimation and investment on security projects.
TopSecurity Projects Management Frameworks
In this section, we examine the objective and features of security project and show the importance of the management task when dealing with these projects.
Key Terms in this Chapter
Security risk: Is the likelihood that enterprise assets (i.e. information, systems and network infrastructures, data, programs and applications) be targeted by a successful attack.
Optimal Security Investment: Is the amount of investment which maximizes the Esperance of the gained loss and minimizes the risks of security attacks.
Information Security: Is the protection of the information system' resources from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Security Project: Is a set of activities that aim to protect and secure an information system from attacks and potential threats.
Threat: Is an indication about a potential event that can harm the security of the protected resource. A threat can turn to a security attack once a vulnerability that can be exploited is found.
Project Management: Is a common framework providing managers with principles, techniques, and tools needed to manage project team effort efficiently and to meet successfully the enterprise’s project objectives.
Vulnerability: Is a defect or weakness in information system’s assets or mechanisms, which could lead to a security breach when exploited by malicious entities.
Security Attack: Is any form of malicious actions taken to harm the security of information system components. An action is classified as malicious with respect to the enterprise security policy.
Security Policy: Is a document that lays the framework for information system security of the enterprise. Through this framework, a security project team can draw intelligible objectives, plans, rules and formal procedures required to manage and protect the sensitive enterprise information system from different attacks.
Residual Risk: Is a quantification of the risk or the degree of exposure that the protected information system will incur, after deciding to counter or eliminate known risk.
Cost Estimation: Is an approximation of the probable cost of a project computed on the basis of the cost of all resources that will be charged to complete project activities.
Information System: Is a set of interconnected components (technology, process and people) that collect, process, store, and distribute information to sustain decision making and control in an enterprise.
Economic of Information Security: Is the discipline that applies different economic theories to resolve information security problems.
Awareness: Is the extent to which an individual who has access to the information system assets is aware of. It is related to the importance of security and dangerousness of attacks, the enterprise’s security requirements, and its responsibilities regarding the enforcement of security inside the information system.