Information security is a growing priority for organizations, many of which are struggling to decide the appropriate amounts of investments to counter threats to availability, confidentiality and integrity of information systems that put interlinked business processes at risk. The investments in security countermeasures usually have the characteristics of externalities since one entity’s investment decision affects the utility of other entities that are connected to it. Despite information security being a priority issue for many enterprises, the evaluation of investments in information security as well as how to determine company’s policies is poorly understood. Effective countermeasures exist for many of the security threats, but are often not optimally deployed. Deciding how best to invest resources in information security is not straightforward. The difficulty is compounded by multiple uncertainties about threats and vulnerabilities, about the consequences of a successful attack, and about the effectiveness of mitigation measures. Given the challenge of ensuring information security under conditions of uncertainty, how can organizations determine appropriate measures to enhance cyber security and allocate resources most efficiently?
In real life good solution today is quite often better than perfect solution after month(s). That’s the reason why we are developing IT Security/Cyber Security Graded Security Expert System – for quick and economicaly rational/optimal specifying needed security measures to protect concrete information accordingly to its concrete needed/required security goals/goals levels. Graded Security Expert System is based on the high level risk analysis (gives mainly a required levels of information security goals), on the Graded Security methodology (DOE 1999, NISPOM 2006) and on an IT security costs optimizing function/model.
Published in: Proceedings of the 8th European Conference on Information Warfare and Security, ECIW 2009, 6-7 July, Lisbon, Portugal.
Kivimaa, J. (2009). Applying a Cost Optimizing Model for IT Security. In Proceedings of the 8th European Conference on Information Warfare and Security, ECIW 2009, 6-7 July, Lisbon, Portugal. Reading: Academic Publishing Limited, pp 142-153.