SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies

Abstract

Many companies rely on historical data to build predictability models for cost/benefit justification of future projects. Unfortunately, for small companies, which generally do not have a process for collecting security data, the costs and the benefits of information security improvement projects have been very difficult to estimate and justify. In addition, detailed attack data are simply not available to be used as references in cost estimations. Given these difficulties, many small companies choose to ignore entirely the security vulnerabilities in their systems, and many suffer the consequences of security breaches and significant financial loss. Small companies that do implement security improvement projects often have problems understanding the cost structures of their improvement initiatives and how to translate risk exposures into costs that can be passed on to their customers. To deal with the aforementioned problems, this report describes a general framework for hierarchical cost/benefit analysis aimed at providing acceptable estimations for small companies in their information security improvement projects. The framework classifies misuse cases into categories of threats for which nationally surveyed risks and financial data are publicly available. For each category of threats, costs, benefits, baseline risks, and residual risks are estimated. The framework then generates all permutations of possible solutions and analyzes the optimal approach to maximizing the value of security improvement projects. The framework analyzes the problems from five dimensions: Total Implementation Costs, Total System Value, Net Project Value, Benefit/Cost Ratio, and Risk Exposures. The final proposed system will be derived from the comparisons of these dimensions, taking into consideration each company's specific situation. This report is one of a series of reports resulting from research conducted by the System Quality Requirements Engineering (SQUARE) Team.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Nov 01, 2004
Accession Number
ADA431118

Entities

People

  • Don Ojoko-adams
  • Hasan Osman
  • Lilian Lopez
  • Marjon Dean
  • Nancy R. Mead
  • Nick Xie
  • Peter Chen

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Commerce
  • Computer Access Control
  • Computer Crime
  • Computer Programs
  • Computers
  • Cost Estimates
  • Cybersecurity
  • Engineering
  • Information Security
  • Lessons Learned
  • Margin Of Safety
  • Operating Systems
  • Residuals
  • Security
  • Software Development
  • Spreadsheet Software
  • Vulnerability

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Economics
  • Life Cycle Cost Analysis