Chapter Preview
TopBackground
The evaluation of the cost associated to a security project cannot be done using traditional software cost estimation models due to differences between software and security projects. Several works have addressed issues and provided various models for cost estimation of security and risk management projects, helping managers reasoning on the cost associated to security decisions, solutions and projects, before they make or conduct. Several of these models considered a security policy, which is serving as a document specifying the security requirements, as the key element for estimating the effort required to achieve a security project and computing its cost. The estimated effort can be seen from two perspectives. The former is related to the technical issues surrounding the acquisition and development of security prevention, detection, and reaction components, and the update and upgrade of systems, configurations, and libraries. The latter is related to the managerial issues surrounding the development and planning of training programs to employees and security administrator, the development of internal procedures and guidelines, and the development of security strategic intelligence within the enterprise
Key Terms in this Chapter
Awareness: the extent to which an individual who has access to the information system assets is aware of: the importance of security and dangerousness of attacks; the enterprise’s security requirements; and its responsibilities regarding the enforcement of security inside the information system.
Security Policy: is a document that lays the framework for information system security of the enterprise. Through this framework, a security project team can draw intelligible objectives, plans, rules and formal procedures required to manage and protect the sensitive enterprise information system from different attacks.
Residual Risk: A quantification of the risk, or the degree of exposure, that the protected information system will incur, after deciding to counter or eliminate known risk.
Countermeasure: A measure taken to prevent, counter, correct, or minimize the effect of an attack. This measure could be in the form of action, mechanism, procedure, or technique.
Threat: Indication about a potential event that can harm the security of the protected resource. A threat can turn to a security attack once a vulnerability that can be exploited is found.
Project Management: is a common framework providing managers with principles, techniques, and tools needed to manage project team effort efficiently (in a timely manner, and utilizing the forecasted resources), and therefore to meet successfully the enterprise’s project objectives.
Security risk: is the likelihood that enterprise assets (i.e. information, systems and network infrastructures, data, programs and applications) be targeted by a successful attack.
Vulnerability: A defect or weakness in information system’s assets or mechanisms, which could lead to a security breach when exploited by malicious entities.
Security Attack: Any form of malicious or actions taken to harm the security of information system components. An action is classified as malicious with respect to the enterprise security policy.
Risk Management: is a methodical approach that aims to control risk through developing systems and procedures allowing managers to anticipate, identify, estimate and effectively dealing with risks inherent to any project.
Information System: A set of interconnected components (technology, process and people) that collect, process, store, and distribute information to sustain decision making and control in an enterprise.