Value of Investing in Information Security: A metastudy initiated by norSIS
MetadataVis full innførsel
The ratio of companies and organizations in Norway with a number of employees between 5 and 9 and Internet access increased from 66% to 86% during a five year period from 2001 to 2006. This increased use of the Internet puts small companies in a vulnerable position considering information security. They are known to be remarkably less willing to pay for information security compared to companies with more employees and more revenue. There is no such thing as two identical organizations. Every single one has it's own assets, weaknesses, employees and fundamental strategies. This makes each company's requirement for ICT-systems and information security identical as well. One solution might be good for one company but not for others. The differences in organizational structure and mentality is important variables in the process of building a good and secure infrastructure for the organizations. The Australian Computer Crime Surveys presents four readiness to protect factors, they consist of: Technology, policies, training and standards. These factors are used as a template for this thesis. If companies focus on these four aspects of information security, and succeed in combining them in an optimal manner they are said to have security in depth. There is no use in investing great amounts of money on technology if these are not used in a justifiable manner. There might be several reasons for improper use of the technologies, among them; lack of knowledge, laziness and carelessness. The companies continuous inability to calculate their own risks of adverse events and their total losses experienced due to computer crime makes it difficult to perform investment analysis on information security. Smaller companies do often have very limited amount of money to spend in general, and therefore also on information security. The investment analysis model chosen therefore take the maximum amount of spend able money into account. The accuracy of the model presented relies in the companies ability to present trustworthy data, and use both willingness to pay calculations and cost/benefit-investments analysis methods, resulting in a more thorough presentation of an ALE/ROI method used in a proof of concept using estimated data based on surveys, professionals experiences and prices used by a Norwegian ICT-operations company.