By Topic

Measuring the risk-based value of IT security solutions

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Arora, A. ; Software Ind. Center, Carnegie Mellon Univ., Pittsburgh, PA, USA ; Hall, D. ; Piato, C.A. ; Ramsey, D.
more authors

Information security problems cost millions of dollars for US companies and billions for the overall US economy. Nowadays, the question is not whether organizations need more security, but how much to spend for added security. And yet investing in IT security has always been a hard sell for IT managers. Scores of security technologies are on the market and, if anything is certain, it is that none of them can guarantee security. Each choice involves risk. The problem is that security managers lack structured cost-benefit methods to evaluate IT security solutions in light of prevailing uncertainties. A framework can help evaluate the costs and benefits of IT security solutions using a company's risk profile. Using an unconventional concept, this framework bases benefit on avoided risk rather than increased productivity. Lawrence Berkeley National Laboratory (LBNL) uses this framework to help demonstrate to management and auditors that it is significantly less expensive to accept some damage from cyberattacks than to attempt to prevent all possible damages. This pragmatic approach continues to enable LBNL's cybersecurity staff to optimize security countermeasure investments and reduce spending without sacrificing protection. The framework described here uses a risk management approach that integrates risk profile with actual damages and implementation costs to determine the costs and benefits of information security solutions. This approach requires reasonably voluminous data and is thus well suited for organizations with extensive incident data or when the consequences of incidents are high enough to warrant extensive data gathering.

Published in:

IT Professional  (Volume:6 ,  Issue: 6 )