Economic considerations of information security and its management (Essay Sample)

Economic considerations of information security and its management Student: Professor: Course title: Date: Economic considerations of information security and its management Information security, which is understood as the protection of computer systems as well as the availability, confidentiality and integrity of the data they contain, is a critical issue. This paper provides an exhaustive discussion of the economic considerations of information security (IS) and its management. The paper indicates whether these economic considerations are actually serving their purposes. Furthermore, the significance of these economic measures is described and the economic mechanisms which could improve information security and management are discussed. A comparative table of the economic measures which are discussed is provided. Economic considerations in Information Security and management How much is spent on Information Security and Management In information/computer security, one of the basic things to take into account is determining how much the organization is spending on information security and management. In general, the company needs to make sure that an adequate amount of money is spent on security and management. For instance, the management should ensure that it spends sufficient money on keeping hackers and cyber thieves out of the company’s computer systems (Schneier, 2014). In essence, the company should not spend too much or too little amount of money on securing its computer systems. Are security budgets being spent on the right things Another important economic consideration is that the company should ensure that it is actually spending its security budgets appropriately and on the right things. For instance, the management of the company should make sure that the company is actually spending its security budgets on things such as access control; encryption for instance E-mail encryption; and installing firewalls in protecting information (West, 2008). Monetary loss in case of a breach The financial loss to the business organization as a result of an infringement of security of the information system is also a vital economic consideration of information security and its management. It is notable that this loss could be because of a security infringement relating to: (i) denial of services for instance loss because of missed sales from certified users that were deprived of rightful access. (ii) Integrity for instance the loss as a result of the company making wrong decisions founded on data that has been altered by intruders; or (iii) confidentiality, for instance the loss because of the fraudulent usage of credit card information by cyber thieves and hackers or the firm’s strategic information becoming obtainable to its competitors (Anderson & Schneier, 2005). Costs / benefits analysis Consider the following situation: assuming that the only security problem faced by a company’s information systems is virus. Also assume that the sole solution to this problem is anti-virus. If the company’s information system is not protected, the expected yearly loss is $90,000. Bearing in mind the uncertainty behind virus attacks, it is possible that the company can spend considerably less than $90,000 for a good antivirus solution. In a situation such as this one, the benefits far outweigh the costs. The costs and benefits of countermeasures must be balanced. Diffie (2008) reported that information insecurities cost business organizations and the overall economy substantial amounts of money reaching millions and billions of dollars, respectively. Through the use of cost / benefit analysis, a company would be able to determine whether or not the benefits of installing security solutions outweigh the costs of installing them. The benefits of the security solutions is largely with respect to protecting the availability, authenticity, confidentiality, non-repudiation, and integrity to authorized users of the information set (West, 2008). In order to identify the benefits or costs of a particular security measure or solution, it is important to establish both the anticipated damage prior to and after a security measure has been taken as well as the costs for this particular security measure. A company’s information security professional should demonstrate the value of his or her activities in business terms. In tough economic periods, only those security initiatives which can demonstrate explicit business value would be financed (Schneier, 2014). Return On Security Investment (ROSI) According to ROSI, the monetary and non-monetary benefits of information security or any IS initiative in comparison to its costs. Producing the end-results in monetary terms signifies whether or not the quantifiable benefits delivered or offered actually outweigh the costs (Schneier, 2014). The key drivers for employing Return on Security Investment are as follows: to give good reason for the monetary budget reserved for information security projects; to help in appraising and selecting projects; and to offer general input for information security management. Return on Security Investment is essentially the calculation of the monetary return from an investment in information for instance a project or initiative, founded on the monetary costs or benefits of that investment. Return on Security Investment is expressed as the net gain divided by the investment (Diffie, 2008). Net Present Value (NPV) The Net Present Value can be utilized together with Return on Investment in justifying information security expenses. Net Present Value is important in assessing between different alternatives. In essence, Net Present Value is used in finding the cash flows that are produced by a given solution and in finding what those cash flows are actually worth in financial terms (Anderson & Schneier, 2005). An information security project that has a positive Net Present Value will increase the company’s wealth; that is to say, the total value produced or saved through the lifetime of the information security project is greater than the cost incurred in funding it. The calculation of Net Present Value is rooted in the principle of discounting: every forecasted future cash flow of the information security project is discounted back to the current time under the supposition that 1 dollar in the present day is worth (1 + d)T dollars at time T in future (West, 2008). It is notable that the cash flows signify the approximated costs and cost savings at different points in the information security project’s useful lifetime. A higher Net Present Value is preferable to a lower Net Present Value. In addition, a negative Net Present Value signifies an unacceptable investment (Schneier, 2014). Internal Rate of Return (IRR) This economic metric should be used by an information security manager in evaluating the expenses of an information security project. The Internal Rate of Return is computed by utilizing a cash flow such as Net Present Value. However, it differs from the Net Present Value calculation in that the Internal Rate of Return shows at what rate would the company break even (West, 2008). These economic measures are in fact serving their purpose appropriately. They are important and helpful in that they can be used in determining: both potential and historical costs of security violations; and the frequency in which security attacks can be anticipated. They can also be used in determining how security breaches can be quantified accurately so that companies could establish ...