Today, millions of users rely on the Internet to do business and to access a wide variety of services. Examples include e-commerce, banking transactions, B2B interactions, multi-player games, blogs, and social networks. Trust in these services is a prerequisite to achieve the full economic potential of information communications technology (ICT). Security economics explore the opportunities of security investments by transforming security from a cost to an asset. This chapter describes SecInvest, a security investment support framework that helps security economists explore such opportunities. SecInvest derives a security solution fitness score that can be used to compare alternative solutions and decide whether to invest in security or take the associated risk. The framework considers various cost variables, investment budget and priorities, laws and regulations, risk level, a priori security status, and other decision variables when deriving the fitness score.
TopIntroduction
What is a reasonable computer and information security level? Which security solution addresses a particular security problem or challenge best? How much money is necessary to invest to ensure a stable operational state and to achieve a reasonable security level? These are all important questions that a decision maker needs to consider when formulating a company’s security strategy and policy, and when exploring how best to control risks and deploy security control mechanisms. The core question is whether to invest in security or to take the risk. Although, researchers have been very active in the field of innovative security services and products, research on the economic perspective of security has somewhat been lagging.
Several recent works underline the need of an economic perspective on security products and services (Anderson, Bohme, Clayton & Moore (2008), Anderson, R. (2001), Sonnenreich, Albanese & Stout (2006), Savola (2007), Gritzalis, Yannacopoulos, Lambrinoudakis, Hatzopoulos & Katsikas (2007), Zoric (2008a), Zoric (2008b), Lambrinoudakis, Gritzalis, Yannacopoulos, Hatzopoulos & Katsikas (2005), Simón, Thakolsr, Alpanes & Zoric (2008), Gaivoronski & Zoric (2008), Li & Su (2007), Houmb (2007), Eneh, Gemikonakli & Comley (2006), van Eeten & Bauer (2008), and Daneva (2006)). However, very few useful real-world case studies are available that validate this research, and there is still no significant change in the attitudes and practices of decision makers. Furthermore, there are yet no concrete guidelines for security investment. There are no good methods and tools to help decision-makers in choosing between alternative security services and products. There are also no relevant standards or best practices, not even for how to derive return on security investment (ROSI).
This chapter presents a novel security investment trade-off analysis framework and tool called SecInvest (SecInvest (2010)). The chapter discusses its underlying methodology and trade-off procedure, and the computational engine used for decision-making. SecInvest enables a decision maker to take control over security relevant spending and to make well-informed security investment decisions. The tool takes as input parameters security levels, risk levels, cost, budget, time-to-market, law and regulations, and other trade-off variables, and produces a fitness score for each alternative security service or product being considered. This makes it possible for a decision maker to choose between various alternatives. SecInvest can be looked upon as a security investment advisor in the form of a tool that also has the ability to learn from experience.
The chapter is organized as follows. Background section focuses on the main challenges in security investment and discusses why it is so difficult to make good security decisions. Security investment trade-off analysis section discusses how to transfere security from a cost to an asset and presents a security investment trade-off analysis methodology aimed at supporting security investment decisions in practice. This section also gives an overview of the underlying methodology and trade-off procedure of SecInvest, including the computational engine of the tool. SecInvest: Security Risk Investment Framework section demonstrates the use of SecInvest in a security investment situation involving two legally independent organizations. Discussion section elaborates on the strengths and weaknesses of SecInvest in relation to related work. The chapter concludes with a summary of the main contributions and a brief outline of future work.