Conducting a cost-benefit analyses of security solutions has always been hard, because the benefits are difficult to assess and often only a part of the overall cost is clear. Despite this, today the provision of economic evaluations of security technology investments is a requirement that more and more customers ask vendors to satisfy. In this paper, we consider the typical calculation of a Return-On-Investment (ROI) index based on the evaluation of the Annual Loss Expectancy (ALE), as the one provided usually by vendors of IT security. Our motivating assumption is that such classical index, the ROI, provides a partial characterization of investments in information security technology, because it lacks to explicitly consider attackers' behavior. We suggest that to better evaluate security technology investments, the ROI index should be coupled with a corresponding index aimed at measuring the convenience of attacks, the Return-On-Attack (ROA). Different conclusions could be reached by combining the two indexes and considering either the combination of different technologies or the possible degradation of a security solution's efficiency over time, as shown by means of some case studies and examples.
Evaluating information security investments from attackers perspective: the return-on-attack (ROA) / M. Cremonini, P. Martini. ((Intervento presentato al 4. convegno WEIS tenutosi a Boston nel 2005.
Evaluating information security investments from attackers perspective: the return-on-attack (ROA)
M. Cremonini
;
2005
Abstract
Conducting a cost-benefit analyses of security solutions has always been hard, because the benefits are difficult to assess and often only a part of the overall cost is clear. Despite this, today the provision of economic evaluations of security technology investments is a requirement that more and more customers ask vendors to satisfy. In this paper, we consider the typical calculation of a Return-On-Investment (ROI) index based on the evaluation of the Annual Loss Expectancy (ALE), as the one provided usually by vendors of IT security. Our motivating assumption is that such classical index, the ROI, provides a partial characterization of investments in information security technology, because it lacks to explicitly consider attackers' behavior. We suggest that to better evaluate security technology investments, the ROI index should be coupled with a corresponding index aimed at measuring the convenience of attacks, the Return-On-Attack (ROA). Different conclusions could be reached by combining the two indexes and considering either the combination of different technologies or the possible degradation of a security solution's efficiency over time, as shown by means of some case studies and examples.File | Dimensione | Formato | |
---|---|---|---|
Evaluating_information_security_investme.pdf
accesso aperto
Descrizione: Articolo principale
Tipologia:
Post-print, accepted manuscript ecc. (versione accettata dall'editore)
Dimensione
94.95 kB
Formato
Adobe PDF
|
94.95 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.