ArticlePDF Available

Optimum Spending on Cybersecurity Measures: Part II

Authors:
Journal of Information Security, 2021, 12, 137-161
https://www.scirp.org/journal/jis
ISSN Online: 2153-1242
ISSN Print: 2153-1234
DOI:
10.4236/jis.2021.121007 Jan. 21, 2021 137
Journal of Information Security
Optimum Spending on Cybersecurity Measures:
Part II
Sherita Tara Kissoon
IT Risk & Security Advisory Services (ITRS), Markham, Canada
Abstract
The purpose of this research is to investigate the decision-
making process for
cybersecurity investments in organizations through development and utiliza-
tion of a digital cybersecurity risk management framework. The initial article,
Optimum Spending on Cybersecurity Measures is published on Emerald In-
sight at: https://www.emerald.com/insight/1750-6166.htm, contains the de-
tailed literature review, and the data results from Phase
I and Phase II of this
research [1]. This
article will highlight the research completed in the area of
organizational decision-making on cybersecurity spend. In leveraging the re-
view of additional studies, this research utilizes a regression framework and
case study methodology to demonstrate that effective risk-
based decisions are
necessary when implementing cybersecurity controls. Through regression
analysis, the effectiveness of current implemented cybersecurity measures in
organizations is explored when connecting a dependent variable with seve
ral
independent variables. The focus of this article is on the strategic decisions
made by organizations when implementing cybersecurity measures. This re-
search belongs to the area of risk management, and various models within the
field of 1) information security; 2) strategic management; and 3) organiza-
tional decision-
making to determine optimum spending on cybersecurity
measures for risk taking organizations. This research resulted in the devel-
opment
of a cyber risk investment model and a digital cybersecurity risk
management framework. Using a case study methodology, this model an
d
framework were leveraged to evaluate and implement cybersecurity meas-
ures. The case study methodology provides an in-depth view of a risk-
taking
organization’s risk mitigation strategy within the bounds of the educational
environment focusing on five areas identified within a digital cyber risk mod-
el: 1) technology landscape and application portfolio; 2) data centric focus;
3)
risk management practices; 4) cost-benefit analysis for cybersecurity meas-
ures;
and 5) strategic development. The outcome of this research provides
greater insight into how an organization makes decisions when implementing
cybersecurity controls. This research shows that most organizations are dili-
How to cite this paper:
Kissoon, S.T.
(20
21) Optimum Spending on Cybersecur-
ity Measures: Part II
.
Journal of Inform
a-
tion Security
,
12
, 137-161.
https://doi.org/10.4236/jis.2021.121007
Received:
November 28, 2020
Accepted:
January 18, 2021
Published:
January 21, 2021
Copyright © 20
21 by author(s) and
Scientific Research Publishing Inc.
This work is licensed under the Creative
Commons Attribution
-NonCommercial
International License (
CC BY-NC 4.0).
http://creativecommons.org/licenses/by
-nc/4.0/
Open Access
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 138
Journal of Information Security
gently implementing security measures to effectively monitor and detect cy-
ber security attacks, specifically showing that risk taking organizations im-
plemented cybersecurity measures to meet compliance and aud
it obligations
with an annual spend of $3.18 million. It also indicated that 23.6% of
risk-
taking organizations incurred more than 6 cybersecurity breaches with
an average dollar loss of $3.5 million. In addition, the impact of a cybersecur-
ity breach on risk taking organizations is as follows: 1) data loss;
2)
brand/reputational impact; 3) financial loss fines;
4) increase oversight by
regulators/internal audit;
and 5) customer/client impact. The implication this
research has on practice is extensive, as it
focuses on a broad range of areas to
include risk, funding and type and impact of cyber security breaches encoun-
tered. The survey study clearly demonstrated the need to develop and utilize a
digital cybersecurity risk management framework to integrate current indus-
try frameworks within the risk management practice to include continuous
compliance management. This type of framework would provide a balanced
approach to managing the gap between a risk-
taking organization and a risk
averse organization when implementing cybersecurity measures.
Keywords
Information Security, Risk Management, Strategy, Governance,
Organizational Decision Making
1. Introduction
Investing in security measures to strengthen an organizations’ information secu-
rity posture will ensure global interconnected environments are protected from
cybersecurity attacks and other information security vulnerabilities.
There is a global dependency on technology and its enablement of the inter-
net. Many organizations believe that compliance with regulations set by the gov-
ernment is sufficient to ensure security. This minimizes the impact a cybersecur-
ity breach has on interconnected environments, and provides a solid foundation
to build an organization’s information security framework. This research is crit-
ical, as it will analyze the decision-making process of various stakeholders who
are involved in implementations of cybersecurity measures to safeguard sensitive
data in organizations. It will provide the necessary information to demonstrate a
strategic risk-based approach to implementing cybersecurity measures for risk
taking organizations.
A wide range of principles are relevant to cybersecurity decision-making in
this context. Specific security measures are important and should be imple-
mented appropriately to alleviate cybersecurity threats. The outcomes of this re-
search will assist executives in understanding the business impact of cybersecur-
ity risks, enabling them to implement cost effective security measures aligned to
their organization’s enterprise risk appetite. It will also contribute to the research
community in providing risk management concepts, as well as a strategic frame-
work in minimizing cybersecurity risks.
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 139
Journal of Information Security
1.1. Research Problem
Digital technology is increasingly relied upon by the global community to pro-
vide real-time services to customers. Evolution of the technology from the tradi-
tional infrastructure to include mobile, cloud-based computing, software as a
service, virtual environments, system security and integrity is prevalent. To un-
derstand the benefits that networked technology provides, these systems must
operate in a reliable and secure way. Companies must have assurance that their
data will be safe from disruption, loss or theft. Therefore, the protection of data,
and the integrity and availability of organizations are essential.
The primary focus for most business executives is to increase revenue, pro-
mote innovation and technological advances in support of customer growth and
retention strategies. Therefore, reallocation of funds to cybersecurity is consi-
dered a business trade-off, where realized gains may not be clearly communi-
cated, nor easily measured. Business leaders need to know the impact cyberse-
curity risks have within their organization, in order to make intelligent business
decisions.
Conducting cost-benefit analyses on implementing cybersecurity controls is a
challenge, since quantifying the cost of cybersecurity failures is usually not in-
cluded, nor is the benefit of averted breaches captured. Business leaders are un-
clear whether their investment in cybersecurity controls is proportional to the
risk within their portfolio.
1.2. Aim of the Research
The focus of this research is to investigate the decision-making process for cy-
bersecurity investments in organizations using conceptual models. Most con-
ceptual models consider the dynamic environment, which is adaptable to changes
that occur within the decision-making process. These models and frameworks
rely on either specific scenarios or controlled conditions. As a result of the dy-
namic environment within the industry of cybersecurity, mitigation strategies
evolve to address emerging industry threats. These variations influence the con-
ditions that were used within previous framework and economic models.
Decisions on cybersecurity spend within organizations vary based on stake-
holders, specifically the funding available in comparison to the recommended
security measures necessary for compliance.
These executive decisions may be coloured with bias, as to the appropriate
security baseline required to protect relevant information assets within the or-
ganization. The tradeoff between the costs of implementing a security measure,
and the benefit derived from the implementation is not easily measured. There-
fore, the lack of this information may impact the business leader’s decision to
fund security measures, and choose to further invest in developing new tech-
nology to drive innovation, business growth and customer satisfaction. This re-
search will demonstrate the need for an appropriate cybersecurity risk manage-
ment framework to determine optimum cybersecurity spend utilizing the results
from the survey study.
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 140
Journal of Information Security
2. Research Background
This research aims to test the effectiveness of implemented cybersecurity frame-
works leveraging regression analysis. It focuses on the dependent variables of
level of risk, an organization’s funding model and impact of a cybersecurity
breach. Each area was reviewed in depth to provide an understanding of its ap-
plication to cybersecurity and the risk management decision-making process
used when evaluating and investing in various security measures. Three global
industry areas were analyzed during the survey study to gain a further under-
standing of the current gaps, as noted below.
Why Are Current Implementations of Cybersecurity Frameworks Effective in
Identifying, Monitoring and Responding to Cybersecurity Threats?
An analysis of industry data indicates that organizations currently leverage
government and industry frameworks when implementing cybersecurity meas-
ures. In addition, the decisions made by most stakeholders are based on validat-
ing compliance with government regulations, industry standards and internal
policy.
Most organizations anonymously expressed that they had experienced types of
cybersecurity breaches, prioritized as follows: 1) malware/ransomware; 2) phishing;
3) lost/stolen computer media; and 4) external/data breaches. Organizational
stakeholders believe they can detect, respond to and monitor security incidents,
however they are not able to continuously prevent security incidents from oc-
curring within their environment.
What Factors are Considered by an Organization when Investing in Cyberse-
curity Controls?
The decision-making mechanisms utilized by organizations when evaluating
and implementing different security measures focus primarily on 1) compliance
with government and industry regulations; 2) investment cost; 3) the impact of
either a breach or a fine; 4) either reputational or brand risk; and 5) ease of use
by the business.
What Decision-making Mechanisms Do Organizations Use When Evaluating
Different Security Measures Prior to Implementation?
The roles of stakeholders making decisions on cybersecurity measures within
their organization include the following in order of priority: 1) chief technology
officer (CTO); 2) chief information security officer (CISO); 3) head of business
line; 3) chief information officer (CIO); and 5) board of directors. Stakeholders
believe that the CTO and CISO have the primary responsibility for advising and
funding the investment cost in their organization and estimate that their organ-
ization’s investment budget is between $1 and $5 million dollars annually.
Stakeholders are involved in the implementation of cybersecurity measures in
the following ways: 1) directly involved in the decision-making mechanism; 2)
attend meetings on evaluating cybersecurity measures; 3) involved in cyberse-
curity implementation activities; and 4) support the cybersecurity function.
Most organizations are faced with an array of choices when deciding on how
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 141
Journal of Information Security
to fund cybersecurity measures. Funding the investment cost needed to provide
a secure environment can be complex.
Cost-benefit analyses, risk appetite and business trade-offs are some of the
areas that are factored into the overall decision-making process. Most stake-
holders indicate that the following areas are critical in an organization’s deci-
sion-making process when allocating funds for cybersecurity measures:
1) Allocation of budget: Although stakeholders believe that their organiza-
tion has allocated a large enough budget to respond to or detect a cybersecurity
breach, it is apparent that their organization’s cybersecurity budget is insuffi-
cient to ensure appropriate cybersecurity measures are in place to continuously
prevent cybersecurity breaches from occurring within their organization.
2) Ability to prevent a cybersecurity breach: Although stakeholders believe
that their organization can detect a cybersecurity breach in a timely manner, it is
apparent that their organization is unable to prevent a cybersecurity breach, as
stakeholders indicate during the survey study that their organization has en-
countered more than 15 breaches, see Figure 1.
3) Risk appetite: Stakeholders indicate that their organization’s decision-mak-
ing process is aligned with a risk methodology, and as noted within most of the
industry-recognized economic models, this methodology directly impacts the cost-
benefit analysis, as shown in Figure 2.
Figure 1. It shows the ability for an organization to prevent a cybersecurity breach, spe-
cifically 30% of respondents have experienced 5 or less cybersecurity breaches (Kissoon,
2019).
Figure 2. It demonstrates that 34% of organizations have a risk taking risk appetite (Kis-
soon, 2019).
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 142
Journal of Information Security
4) Importance of decision-makers: It is apparent in most organizations that
decisions made by the CIO and head of the business line have similar priorities
with regard to 1) funding the investment cost; 2) implementing information se-
curity measures; and 3) reviewing the risk appetite statement. This parallel deci-
sion-making process may potentially have an adverse impact on the decision to
fund cybersecurity measures, especially in circumstances where the viewpoints
are vastly different.
3. Literature Review
Economic optimization of information security is an area of interest to re-
searchers, as well as executives in organizations. From a financial viewpoint, cost
benefit justification for security measures is impactful and necessary. Earlier re-
searchers focused on either economic models for security optimization or quan-
tification of business value for information security investments. This research
aims to develop an evidence based digital cybersecurity risk management frame-
work for organizations to effectively articulate the business impact of information
security risks. There are a number of research studies that have been conducted in
information security, all of which will be consulted thoroughly while undertaking
this research. Optimum Spending on Cybersecurity Measures is published on
Emerald Insight at: https://www.emerald.com/insight/1750-6166.htm, and con-
tains the details of the Literature Review [1].
This article, using regression analysis and a case study will explore the area of
risk management decision making leveraging the research completed by Dor
and Elovici [2]. Utilizing grounded theory, researchers design a conceptual
model that shows the current practices for decision-making about information
security investment in organizations across industries. The framework takes into
consideration that organizations may have different views, specifically depend-
ing on the stakeholder who finances the security measures, the organization’s
industry, structure and role of the Chief Information Security Officer’s (CISO).
Within this research, the case study methodology leverages a conceptual digital
cybersecurity risk management framework. This will show that stakeholders in
risk taking organizations can make effective decisions on implementing cyber-
security measures to reduce the likelihood of a cybersecurity breach.
4. Research
This research further analyzes the data gathered through the initial survey study
to develop a cyber risk investment model and digital cybersecurity risk man-
agement framework. These conceptual models are used within the case study
methodology to demonstrate a strategic approach to organizational decisions as
it pertains to cybersecurity spend.
4.1. Gaps in the Literature
In reviewing the literature within the focus area of this research, specifically
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 143
Journal of Information Security
economics of information security, it became apparent that there is significant
literature on this topic. There are many variations of frameworks and economic
models for investments in security measure and decision-making that are
present in the literature. These models are applicable to specific phases in the
decision process since they resolve various concerns within it. Model examples
include: 1) creation of an economic model to assist the decision maker on their
information security investment, Rue
et al.
[3]; 2) economic models which pro-
vide an estimate on the return on security investments (ROSI) for security
measures, Cavusoglu
et al.
[4] [5], Gordon and Loeb [6] [7], Huang
et al.
[8],
Purser [9]; 3) a management model that estimates various investment strategies
on security management, Finne [10], Nazareth
et al.
[11]; and 4) a multi-criteria
decision-making model that is used within the decision-making process in se-
lecting projects, Comes
et al.
[12].
These models and frameworks rely on either specific scenarios or controlled
conditions. In addition, decision-making in firms may include characteristics
that are not present in these models,
i.e.
, politics, organizational, psychological
cognitive biases, prejudice, Dutta
et al.
[13]. As a result of the dynamic environ-
ment within the industry of information security, mitigation strategies evolve to
address emerging industry threats. These variations influence the conditions that
were used within previous framework and economic models. Frameworks and
economic models become outdated and narrow in the way it reflects current de-
cision-making processes.
Furthermore, stakeholders in organizations may choose not to utilize these
frameworks and economic models, since they are either complex or are not
practical, Pettigrew [14]. Therefore, there is a need to develop a relevant, current
conceptual model that represents the risk management process of how optimal
information security investments occur in organizations. The current literature
is limited in this realm of decision-making to include various models that can be
applied by stakeholders on optimal cybersecurity spend within risk taking or-
ganizations.
4.2. Theoretical and Practical Contribution
This research will address a need in both the academic and practitioners’ com-
munity, as this research developed and implemented an appropriate strategic
framework to mitigate cybersecurity risks.
4.2.1. Contribution to Theory
The research will bring an in-depth theoretical understanding to this field, as it
intends to test theory within the organizational behaviour, risk management and
strategy discipline. The literature review provides two specific areas that can be
further explored through empirical studies.
4.2.2. Contribution to Practice
The research also proposes to make an industry contribution by assisting busi-
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 144
Journal of Information Security
ness leaders with an appropriate risk mitigation strategy when implementing
cybersecurity controls. The application of the research within organizations will
provide a framework to assist with the decisions made by executives pertaining
to cybersecurity spend. This is demonstrated in Section 7 through a case study
methodology.
5. Research Outline
5.1. Philosophical and Methodological Approaches
The relationship between data and theory has been discussed in depth by many
philosophers over the years. This research has considered the main philosophical
positions that underlie the design of the research. Specifically, being able to have
a clear sense of my reflexive role in research methods, to assist with clarifying
the research design, recognizing which design will be effective and providing
ways on how to adapt the research according to the constraints presented.
“Awareness of the philosophical assumptions can both increase the quality of
research and contribute to creativity of the researcher”, Easterby-Smith, Thorpe,
Jackson [15].
5.2. Ontology, Epistemology and Methodology
The ontological approach for this research will be a combination of internal
realism and relativism. Internal realism assumes that there is a single reality but
asserts that it is never possible for scientists to access that reality directly. Rela-
tivism progresses further in suggesting that scientific laws are not simply
present, they are available to be created by people. As people have different
perspectives and their ability to gain acceptance from others may be influenced
by many factors, Easterby-Smith, Thorpe, Jackson [15].
The epistemological approach for this research will be a combination of posi-
tivism and normal constructionism. The main idea of positivism is “that the so-
cial world exists externally, and that properties can be measured through objec-
tive methods rather than being inferred subjectively through sensation, reflec-
tion and/or intuition”, Easterby-Smith, Thorpe, Jackson [15]. Combining this
idea with a constructionist position would allow for many different realities, fa-
cilitating a research design that would gather multiple viewpoints. Using a com-
bination of qualitative and quantitative methods, this research analyzed data ga-
thered from a diverse population.
5.3. Methods and Techniques
The survey study research design utilizes an inductive, mixed methods approach,
and employs a combination of techniques using a combined cross sectional and
time series horizon. The partnership research design will apply a mixed methods
study, to encompass a four phased approach using the data gathered through the
survey study. To elaborate on partnership research designs, this “typically in-
volves combining more than one method, such as a questionnaire survey and
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 145
Journal of Information Security
interviews, where both assume similar importance in the study… When com-
bined, the interview data will contain greater detail, clarifications and added ex-
planations; the questionnaire data will contain shorter answers, possibly more
focused, but will be able to cover responses from a wider range…”, Easter-
by-Smith, Thorpe, Jackson [15].
Specifically, the mixed method approach will facilitate a sequential design
with the following: 1) initial qualitative research; 2) the quantitative research is
used as the dominant factor with respect to the findings; and 3) the case study
methodology to demonstrate the implementation of the digital cybersecurity risk
management framework.
Phase 1. Interview Study: Qualitative approach focused on seven participants
providing input to refine the survey study questionnaire.
Phase 2. Survey Study: Qualitative approach focused on information ga-
thered through an online descriptive survey study utilizing a five-point response
Likert scale. Analysis of the data will leverage summary statistics of responses,
differential and inferential statistics.
Phase 3. Regression Analysis: Quantitative statistical testing method used to
examine the relationship between two or more variables of interest, specifically,
examining the influence of one or more independent variables on a dependent
variable. The purpose of regression analysis was to explore the effectiveness of
current cybersecurity frameworks in organizations to minimize cybersecurity
risks utilizing the data gathered through the survey study.
Phase 4. Case Study: The case study methodology provides an in-depth view
of one organization’s risk mitigation strategy within the bounded environment
of the educational environment focusing on five areas identified within digital
cyber risk model: 1) technology landscape and application portfolio; 2) data cen-
tric focus; 3) risk management practices; 4) cost-benefit analysis for cybersecuri-
ty measures; and 5) strategic development.
Optimum Spending on Cybersecurity Measures is published on Emerald In-
sight at: https://www.emerald.com/insight/1750-6166.htm, and contains the re-
sults from the survey study. Specifically, the research data to support Phase 1
and Phase 2.
6. Testing the Effectiveness of Cybersecurity Frameworks
Regression analysis was utilized to evaluate the way in which organizational de-
cisions are made as it relates to cybersecurity spending. The purpose of regres-
sion analysis was to explore the effectiveness of current cybersecurity frame-
works in organizations to minimize cybersecurity risks utilizing the data ga-
thered through the survey study.
Single Multivariate Linear Regression Model
This analysis will utilize the data collected through the survey study which con-
tains information on several variables in understanding an organization’s prior-
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 146
Journal of Information Security
ity when implementing cybersecurity measures. Appropriate analyses will be
completed on this data using IBM’s SPSS and statistical testing. To assess the ef-
fectiveness of cybersecurity measures, the following will be used to analyze the
data to estimate a single linear equation that will test the effectiveness of the cy-
bersecurity framework in place within organizations, as identified through par-
ticipants within the survey study.
The data from the survey study shows the following:
Analysis 1: Using a dependent variable based on the Level of Risk an organi-
zation is willing to assume when implementing cybersecurity measures, specifi-
cally, 0risk neutral, 1risk taking and 2risk averse, this regression demon-
strates that risk taking organizations measure the effectiveness of their cyberse-
curity framework in the following priority:
1) Ability to meet compliance obligations.
2) Tested through the Audit/Assurance function.
3) Measured using Key Performance Indicators and Key Risk Indicators
(KPI/KRI).
4) Measure using a Capacity Maturity Model (CMM).
5) Funds available/cost to implement security measure.
Analysis 2: Using a dependent variable based on the Investment Budget, spe-
cifically, 0$0 - $500K, 1$500K - $1M, 2 - $1M - $5M, and 3 - above $5M.
This regression demonstrates that the average investment budget allocated by an
organization when implementing cybersecurity measures is approximately $3
million, and organizations are effectively able to detect, respond and monitor an
information security breach, however, are unable to adequately prevent an in-
formation security breach.
Analysis 3: Using a dependent variable based on the Average Dollar Loss after
a Cybersecurity Breach, specifically, 1$0 - $1M, 2$1M- $3M, 3$3M - $5M,
and 4above $5M. This regression demonstrates that the average funding allo-
cated by organizations when implementing cybersecurity measures is 15% of the
overall enterprise budget. Risk taking organizations incur an average of $3.5 mil-
lion in loss after a cybersecurity breach has occurred.
Analysis 4: Using a dependent variable based on the Level of Risk an organi-
zation is willing to assume when implementing cybersecurity measures, specifi-
cally, 0risk neutral, 1risk taking and 2risk averse, this regression demon-
strates that risk taking organizations indicated that a strong security posture
meets government regulations and company policy. However, on average, these
organizations continue to experience approximately 5 cybersecurity breaches
annually after meeting compliance obligations.
In conclusion, it is evident from the data analyzed through the survey study
that risk taking organizations implement cybersecurity measures when required,
and therefore spend minimal in support of a foundational security posture. In
addition, continuous compliance management to facilitate a preventative ap-
proach is nonexistent, resulting in unforeseen losses due to the impact of reoc-
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 147
Journal of Information Security
curring cybersecurity breaches.
7. Case Study
The case study methodology was utilized to evaluate the way in which risk man-
agement decisions are made as it relates to cybersecurity spending. The purpose
of the case study was to demonstrate that a digital cybersecurity risk manage-
ment framework is effective in minimizing cybersecurity risks, with a focus on
the decision-making process by applicable stakeholders within organizations.
Through utilizing the digital cybersecurity risk management framework, this
case study shows that an appropriate risk mitigation strategy can be utilized by
risk taking organizations to reduce the likelihood of a cybersecurity breach.
7.1. Methodology Used for Evaluating Cybersecurity Risk
Management Framework
This case study provides an in-depth view of a risk-taking organization’s risk
mitigation strategy within the bounded environment of the educational envi-
ronment focusing on five areas identified within cyber risk investment model: 1)
technology landscape and application portfolio; 2) data centric focus; 3) risk
management practices; 4) cost-benefit analysis for cybersecurity measures; and
5) strategic development, see Figure 3.
Figure 3. It shows the cyber risk investment model which is comprised of the 1) technol-
ogy landscape and application portfolio; 2) data centric focus; 3) risk management prac-
tices; 4) cost-benefit analysis; and 5) strategic development (Kissoon, 2020).
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 148
Journal of Information Security
Technology Landscape and Application Portfolio
The technology landscape is defined as the technology and information secu-
rity measures in place within the enterprise architecture. This landscape is
usually depicted through enterprise architecture artefacts that include but are
not limited to the visual layout of the technology, system interfaces, communica-
tion channels, application portfolios, technology stack and security measures.
This landscape extends from the on-premises environment to suppliers, service
providers, agents and partners.
Data Centric Focus
Data classification, in the context of cyber risk management, is the classifica-
tion of data based on its level of impact on an organization and includes collec-
tion, use, disclosure and retention. Protection of data is based on the data classi-
fication level,
i.e.
, public, internal use, confidential, or restricted. These levels de-
fine the type of cybersecurity safeguards that should be in place to adequately
protect the data, regardless of how they are stored. Protection of data includes
safeguards to minimize loss, theft, unauthorized access, use, disclosure, copying
and modification.
Risk Management Practices
All organizations are confronted with risks that have the potential to nega-
tively affect their business. Risk management practices in the financial services
sector focuses on identifying, measuring and analyzing those threats to reduce
material, reputation, opportunity and other costs. These practices utilize the en-
terprise risk management (ERM) framework, which is integrated with informa-
tion security, privacy risk, vulnerability management, system and application
development lifecycle and business continuity management (BCM).
Cost-Benefit Analysis for Cybersecurity Measures
Cost-benefit analysis is the widely accepted economic principle for managing
an organization’s resources. This principle requires that the costs of an activity
be compared to the benefits. When the benefits exceed the costs, it pays to en-
gage in those activities, whereas if the costs exceed the benefits, the opposite is
true. When the costs and benefits of an activity are equal, the decision-maker
may factor other qualitative measures into the decision.
The three major activities usually associated with cybersecurity are 1) pro-
tecting information from authorized users of the information; 2) making infor-
mation available to authorized users on a timely basis; and 3) protecting infor-
mation from integrity flaws.
Strategic Development
Business objectives are specific and measurable goals that an organization
pursues as it focuses on growth, profitability, efficiency and stability. These ob-
jectives are interconnected with the enterprise strategy and appear directly
within the business strategy and multi-year road map.
7.2. Digital Cybersecurity Risk Management Framework
Cybersecurity spending is discussed across the literature, and various approach-
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 149
Journal of Information Security
es, methodologies and models are used. Using a case study methodology, the
aim of this research is to demonstrate that a digital cybersecurity risk manage-
ment framework may be utilized when evaluating and implementing cyberse-
curity measures. The digital cybersecurity risk management framework consists
of: 1) risk assessment; 2) internal control assessment; 3) an understanding of the
organization’s risk appetite; and 4) risk mitigation strategy.
7.3. Risk Assessment
The risk assessment process identifies critical risk elements, examples are as fol-
lows:
1) Data classification
2) Strategic/Business requirements
3) Application development
4) Vendor relationships
5) Technology landscape
6) Legal/Regulatory
7) Brand /Reputational
8) Operational
9) Financial
10) Security/Fraud
Risk Prioritization: Assess the Inherent Risk
The risk assessment process is based on a questionnaire in which a set of
questions are formulated for each risk element. Examples of question categories
include:
Financial loss
Media attention
Reportable to Regulator
Impact to suppliers and employees
Loss or damage to Information Systems
Each question can be answered in one of five ways, in increasing order of risk,
such that a risk score between 1 and 5 can be assigned for that question based on
two rating scales: likelihood and impact.
A quantitative inherent risk score can be calculated for each question, each
risk element and the overall initiative as follows:
Risk score per question: product of the likelihood and impact rating.
Risk score per element: accumulating the numerical score per question and
dividing it by the number of questions for a risk element.
Risk score for the overall initiative: accumulating the numerical score per risk
element and dividing it by the number of risk elements in each project.
This quantitative inherent risk score is assigned a qualitative risk score cate-
gorized as high, medium or low. The qualitative inherent risk score shows what
element carries the most risk, making it simple for decision-makers to allocate
resources.
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 150
Journal of Information Security
Impact Rating Scale
Figure 4 below shows the quantitative scale for the impact rating based on a
score of 1 - 5.
Likelihood Rating Scale
Figure 5 below shows the quantitative scale for the impact rating based on a
score of 1 - 4.
Qualitative Inherent Risk Rating
Figure 6 below shows the scale of the qualitative inherent risk rating based on
the quantitative inherent risk score.
Figure 4. It shows a sample impact rating scale (Kissoon, 2020).
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 151
Journal of Information Security
Figure 5. It shows a sample likelihood rating scale (Kissoon, 2020).
Figure 6. It shows a sample Qualitative Inherent Risk Rating Scale (Kissoon, 2020).
7.4. Internal Controls Assessment
The internal control environment is defined as the technology and cybersecurity
measure in place within the enterprise architecture. This landscape is usually de-
picted through enterprise architecture artefacts, which include but are not li-
mited to diagrams, interfaces, communication channels and application/technology
portfolios. In addition, it extends from the on-premises environment to suppli-
ers, service providers, agents and partners. Therefore, in addition to internal as-
sessments, external third-party assurance reports are utilized to assist with the
assessment of the internal control environment.
Some organizations utilize a cybersecurity risk-based framework to manage
cybersecurity risk. The industry framework has been established through NIST
and is composed of three parts:
the framework core
the framework implementation tiers
the framework profiles
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 152
Journal of Information Security
Each framework component strengthens the integration between cybersecuri-
ty activities and business drivers. The framework core is a set of cybersecurity
activities, desired outcomes and applicable references that are common across
critical infrastructure sectors.
The core provides industry standards, guidelines and practices in a way that
allows for communication of cybersecurity activities and outcomes from the ex-
ecutive level to the implementation/operations level.
The framework core consists of five concurrent and continuous functions
identify, protect, detect, respond, recover, as shown in Figure 7. When consi-
dered as a whole, these functions provide a high-level strategic perspective on
the lifecycle of an organization’s management of cybersecurity risk through as-
sessment of the internal control environment.
The framework core then identifies underlying key categories and subcatego-
ries that are specific outcomes for each function. These outcomes are equated
with informative references such as existing standards, guidelines, and practices
for each subcategory.
Vendor Assurance Reports
As outsourcing service providers (OSPs) manage a significant amount of cus-
tomer data, systems, processes and operations, their ability to manage associated
risks while meeting increasing compliance requirements often emerges as a
priority. Many service providers are reactive to third-party reporting due to the
lack of full visibility in their reporting portfolios. Creating a library of enter-
prise-wide requirements and mapping individual obligations to corresponding
controls can help identify gaps and overlaps. For example, an organization may
have one control for regulating physical access to its data center, but it may align
with 20 different internal and external requirements. An integrated library of
requirements and control tests can make it easier to compile customer-centric
reports.
Outsourcing is a growing trend, and companies increasingly depend on
third-party providers to deliver critical services. The purpose of third-party re-
ports,
i.e.
, SOC2 or ISAE3402 review, is to provide client auditors with an objec-
tive report that expresses an opinion about the control environment of a service
Figure 7. It shows the NIST cyber security framework which consists of five concurrent
and continuous functions—identify, protect, detect, respond, recover (NIST, 2018).
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 153
Journal of Information Security
organization. These reports are designed to provide assurances about the effec-
tiveness of controls in place at a service organization,
i.e.
, SOC for Service Or-
ganizations: Trust Services Criteria (SOC2) assesses the security, availability, or
processing integrity of the system used to process client information or the con-
fidentiality or privacy of that information.
7.5. Organization’s Risk Appetite
An organization’s risk appetite is the amount of risk, on a broad level, that an
organization is willing to accept as it tries to achieve its goals and provide value
to stakeholders.
During the risk assessment process, an organization’s residual risk is assessed
to determine the remaining risk after internal controls are implemented. As-
sessing this risk shows the organization the areas where a gap or lack of internal
control exists. Usually, this is the area of focus for key stakeholders as they de-
termine the cost-benefit analysis and risk mitigation strategy. In essence, resi-
dual risk should be aligned with the organization’s/business unit’s risk profile
within the risk tolerance level.
Specifically, the residual risk score is a qualitative score that is more granular
than the score of inherent risk, as shown in Figure 8. Inherent risk is assigned
based on one of three scores, high, medium or low, while residual risk is com-
monly assessed based on one of five or more scores: high, medium-high, me-
dium, medium-low and low. This granularity highlights control implementation
progress over time and better reflects changes in overall risk.
7.6. Risk Mitigation Strategy
In some circumstances, to align the residual risk with the organization’s/business
unit’s risk appetite, further mitigation is required. Therefore, organizations are
required to make decisions about funding cybersecurity activities in a manner
consistent with the viewpoint of various stakeholders. Below is a risk treatment
scale, which aligns the impact, likelihood and inherent risk rating scale to iden-
tify areas that may require governance and risk mitigation through senior man-
agement oversight and additional cybersecurity measures, as shown in Figure 9.
Figure 8. It shows a sample residual risk rating scale (Optiv, 2011).
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 154
Journal of Information Security
Figure 9. It shows a sample Risk Treatment Scale (Queensland Treasury and Trade, 2011).
Cost-benefit analysis is the widely accepted economic principle for managing
an organization’s resources. This principle requires that the costs of an activity
be compared to the benefits. When the benefits exceed the costs, it pays to en-
gage in those activities, whereas if the costs exceed the benefits, the opposite is
true. When the costs and benefits of an activity are equal, the decision-maker
may factor other qualitative measures into the decision.
The three major activities usually associated with cybersecurity are: 1) pro-
tecting information from authorized users of the information; 2) making infor-
mation available to authorized users on a timely basis; and 3) protecting infor-
mation from integrity flaws.
The costs associated with these activities are significant, as organizations will
incur costs to detect and correct security breaches that cannot be prevented. The
benefits of cybersecurity are directly related to the cost savings, known as cost
avoidance, associated with preventing cybersecurity breaches.
The cost-benefit framework states that the goal of an organization should be
to implement security procedures up to a point where the benefits minus the
costs are maximized. In this framework, implementing cybersecurity activities
beyond that point means that the incremental costs are maximized. Implement-
ing cybersecurity activities beyond that point means that the incremental costs
are greater than the incremental benefits of the additional security measures. In
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 155
Journal of Information Security
essence, the net benefit of implementing incremental cybersecurity measures
beyond the maximum point is negative and therefore represents a financial cost
to the organization.
In contrast, the digital cybersecurity risk management framework has four
areas of consideration: 1) alignment with the organization’s risk appetite; 2)
alignment with the risk assessment process; 3) understanding of the cost-benefit
analysis; and 4) justification of risk mitigation strategy. Although cost-benefit
analysis is impactful from a financial perspective, in some cases, other factors
need to be considered to fully understand the impact of not implementing addi-
tional security measures. For example, the cost of preventive cybersecurity
measures is usually not factored into the organization’s cost-benefit analyses.
Specifically, the cost of preventative security measures usually includes devel-
opment and implementation of a continuous compliance monitoring program.
The survey study showed that respondents from risk taking organizations are
focused on implementation of foundational cybersecurity measures to meet
mandatory compliance obligations. In addition, most organizations do not have
the data to appropriately factor the cost/impact of a cybersecurity breach on an
organization,
i.e.
, its effect on the organization’s brand/reputation, legal/regulatory
landscape, operational/technology environment, forensic/e-discovery-related
items, third-party suppliers, and therefore the actual cost of remediating a cy-
bersecurity breach is unrealized.
To adequately implement cybersecurity measures, in addition to cost-benefit
analysis, stakeholders should implement an elaborate decision-making process
to determine the additional security measures needed to adequately protect an
organization from a cybersecurity breach while aligning with its risk appetite.
8. Case Study: ABC University is Exploring a Vendor
Relationship to Utilize the Mobius Platform
Business Overview
With over 15 years in the market, the Möbius platform is used by students,
teaching assistants and professors at some of largest institutions globally.
Möbius is a robust online authoring and delivery environment specifically de-
signed for the needs of STEM classrooms. It includes a suite of tools and features
for authors looking to design and develop digital assets for their students or
peers, and a delivery environment that enables and promotes deep and active
learning for users through the combination of instructional material with
hands-on activities.
The Möbius platform offers:
A mechanism for creating and deploying online STEM courses.
Lessons, assessments and interactive learning activities, it unfolds the poten-
tial for the STEM student to acquire knowledge at a guided yet self-defined
pace.
Complex STEM disciplines with its world-class math-engine.
The ability to create and use powerful multimedia visualizations to anchor
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 156
Journal of Information Security
key STEM concepts.
Students immediate and meaningful feedback and provides instructors with
data on student engagement and understanding.
Advance question types with algorithmically generated and randomized
questions.
Access to high-quality content created by curriculum experts.
Seamlessly integration with ABC’s University Learning Management System
(LMS).
Technical Overview
The Möbius Platform is vendor owned by DigitalEd. This cloud-based solu-
tion is hosted within the Google Cloud Platform System and the Alibaba Cloud.
8.1. Risk Assessment
Impact and Likelihood
The impact and likelihood rating scale located in the Section 7.3, outlines the
evaluation of the protection requirement level for each protection requirement.
The table below shows the impact and likelihood rating as it applies to the risk
elements.
Risk
Element
Likelihood
1
Data Classification
PII: The protection of PII is subject to routine risk assessment processes. A Privacy Impact Assessment
(PIA) is managed by ABC University’s Privacy’s office. PII elements are captured and stored through
this cloud hosted web application platform, specifically any personal information that is used with an
ABC University student to include but not limited to:
Student information
Grades
Course information
Connectivity to the Learning Tool Interoperability
Sensitive Authentication Data (SAD): is the information on a payment card used for authentication at
the time of a purchase. This includes data from the full magnetic strip, card security code
(CSC, CVV2, CID, CAV2) and personal identification number (PIN). The Mobius Platform
facilitates payment card transactions from ABC University individuals, and therefore protection
of sensitive authentication data is required by DigitalEd.
Major Frequent
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 157
Journal of Information Security
Continued
2
Business Requirements
The Möbius Platform is used within the ABC University student environment to provide a
comprehensive online courseware platform focusing on the unique needs of science, technology,
engineering and mathematics students.
Moderate Likely
3
Application Development
Application develop is minimal to include integration with the Möbius Platform. Development includes
standard interface within the University’s Learning Management System (LMS) and connectivity to
Learning Tool Interoperability (LTI).
Minor Possible
4
Vendor Relationship
DigitalEd is a privately held Canadian company, with approximately 65 employees worldwide.
DigitalEd is an online learning company with a simple and resonant purpose to shape the world
through digital learning. DigitalEd, introduced the Möbius platform in Spring 2017 with the
intent to improve the online learning experiences of authors, instructors and students in science,
technology, engineering and mathematics (STEM)-based classrooms.
Moderate Likely
5 Technology landscape
Suppliers and third-party partners include Google Cloud Platform (GCP) System and Aliyun. Major Frequent
6
Legal/regulatory
Disclosure of data subject to specific regulatory requirement
Lawsuits by aggrieved owners of lost or compromised data,
i.e.
, PII.
Fines and penalties assessed by regulators.
Major Possible
7
Brand/reputational
Unflattering or negative publicity due to press coverage which damages ABC University’s brand.
Loss of customer confidence due to the release or compromise of data.
Minor Possible
8 Operational
Loss of operations and use of system by authorized users. Moderate Likely
9 Financial
Significant costs to restore/repair any damages caused by intentional/unintentional users. Minor Possible
10
Security and fraud issues
Loss and/or manipulation of sensitive data,
i.e.
, PII through disclosure of authentication credentials,
distributed denial of service attack, malware attack.
Major Frequent
Inherent Risk
The inherent risk has been assigned based one of three scores of either high,
medium or low, as shown in the below chart.
Risk
Element
Quantitative
Inherent
Risk
Rating
Qualitative
Inherent
Risk
Rating
Impact
Likelihood
Rating
1 Data Classification 4 5 20 High
2 Business Requirements 3 4 12 High
3 Application Development 2 3 6 Medium
4 Vendor Relationship 3 4 12 High
5 Technology Landscape 4 5 20 High
6 Legal/regulatory 4 3 12 High
7 Brand/reputational 2 3 6 Medium
8 Operational 3 4 12 High
9 Financial 2 3 6 Medium
10 Security and fraud issues 4 5 20 High
Average 12.6 High
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 158
Journal of Information Security
8.2. Internal Control Assessment: Effective
The core components of the NIST Cybersecurity Framework were utilized to
adequately assess the DigitalEd environment supporting the Möbius Platform.
Specifically, the following vendor assurance reports were provided: 1) Higher
Education Community Vendor Assessment Tool (HECVAT)-Lite: DigitalEd; 2)
System and Organization Controls (SOC) 2 Type II Report: Google Cloud Plat-
form System for the Period May 1, 2019 to April 30, 2020; and 3) Payment Card
Industry (PCI) Data Security Standard (DSS) self-assessment questionnaire
(SAQ) as of March 21, 2019.
8.3. Organization’s Risk Appetite
The residual risk is a MEDIUM rating for the Möbius Platform.
8.4. Risk Mitigation Strategy
Further risk mitigation recommendations can be utilized to align the organiza-
tion’s risk profile with the NIST Cybersecurity Framework core components.
This area is essential as it provides recommendations to include additional cy-
bersecurity measures that may provide a preventative approach. This would
strengthen a risk-taking organization’s risk profile without requiring the organi-
zation to transition to a risk averse profile. It is important to note that recom-
mendations are not mandatory, and are used to identify additional cybersecurity
measures to strengthen the organization’s security posture while aligning with
the organization’s risk appetite.
Recommendations
Supplier
Chain
Risk
Management
ABC University should ensure that Aliyun is routinely assessed using audits,
test results or other forms of evaluations to confirm they are meeting their
contractual obligations.
ABC University should ensure that response, recovery planning and testing
are conducted with suppliers and third-party providers.
Identity
Management,
Authentication
and
Access
Control
Existing technology and processes within ABC University should be reviewed
and appropriate security controls implemented to include integration with
ABC Universitys LMS.
The web-based interface should support authentication, including standards-
based single-sign-on, leveraging multi-factor authentication and password/
passphrase aging requirements.
Information
Protection
Processes
and
Procedures
DigitalEd should consider implementing an approved disaster recovery process
documentation.
All components of DigitalEd’s disaster recovery plan should be reviewed at
least annually and updated as needed to reflect change.
PII related Information Security controls:
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 159
Journal of Information Security
Protect transfer of data from ABC University to Cloud Hosting environment,
i.e.
, Google, Alibaba.
Secure application programmable interfaces (API), examples include:
Creation of accounts for client applications.
Account updates to use HTTP basic authentication.
Granularity of access control to ensure each client application has access to
the functions it needs for the applicable operation.
The database containing PII located within the cloud hosting environment
should:
Protect PII elements
i.e.
, encryption, masking, hashing.
Provide reports for database logging of administrator/administrator equiva-
lent accounts for review by ABC University’s management.
Implement integrity controls on database and system logs.
Awareness
and
Training
Implement on-going training and awareness of employees in the handling
and processing of PII and data privacy.
Security
Monitoring
The ability to monitor for intrusions within the DigitalEd environment.
Integrate security/data related breach policies and procedures with ABC
University’s incident management process.
9. Ethical Considerations
Four critical ethical principles were reviewed when conducting this research
study. Specifically, “1) avoidance of harm or loss of dignity; 2) transparency and
honest; 3) right to privacy; and 4) researcher integrity”, Rose, Spinks and Can-
hoto, [15]. Each key area was reviewed in terms of stakeholder groups, the re-
searcher, the participants in the research study, and the impact on the industry.
10. Implication for Research, Practice and/or Society
It is apparent that although organizations have actively implemented cyberse-
curity frameworks, there is a need to enhance the decision-making process to
reduce the number and type of breaches, and to strengthen the implemented
cybersecurity frameworks to facilitate stronger preventive approaches. Decisions
that are made by an organization when investing in cybersecurity controls are
heavily focused on baseline compliance with government and industry regula-
tions which may omit emerging technologies and continuous compliance man-
agement. It is evident from the data analyzed through the survey study that risk
taking organizations implement cybersecurity measures when required, and
therefore spend minimal in support of a foundational security posture. In addi-
tion, continuous compliance management to facilitate a preventative approach is
nonexistent, resulting in unforeseen losses due to the impact of reoccurring cy-
bersecurity breaches.
The decision-making process utilized when evaluating, implementing and in-
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 160
Journal of Information Security
vesting in cybersecurity controls is weighted towards the technology organiza-
tion and therefore may be biased on the basis of competing priorities. The out-
come of this study provides greater insight into how an organization makes de-
cisions when implementing cybersecurity controls. This exploratory research
shows that most organizations are diligently implementing security measures to
effectively monitor and detect cyber security attacks. Specifically showing that
risk taking organizations implemented cybersecurity measures to meet com-
pliance and audit obligations with an annual spend of $3.18 million. It also indi-
cated that 23.6% of risk-taking organizations incurred more than 6 cybersecurity
breaches with an average dollar loss of $3.5 million. In addition, the impact of a
cybersecurity breach on risk taking organizations is as follows: 1) data loss; 2)
brand/reputational impact; 3) financial loss fines; 4) increase oversight by regu-
lators/internal audit; and 5) customer/client impact.
The implication this research has on practice is extensive, as it focuses on a
broad range of areas to include risk, funding, type and impact of cybersecurity
breaches encountered.
The survey study clearly demonstrated the need to utilize a digital cybersecur-
ity risk management framework to integrate current industry frameworks within
the risk management practice to include recommendations. This type of frame-
work would provide a balanced approach to managing the gap between a
risk-taking organization and a risk averse organization when implementing cy-
bersecurity measures.
11. Further Work
There were several limitations of the research, and these can be incorporated in-
to the next phase. Further development of the survey study instrument should be
considered by leveraging a more robust tool such as Qualtrics and randomly al-
locating the positions of the questions to avoid order effects that may bias par-
ticipants completing the survey. The partnership research design could be ex-
panded to facilitate other quantitative and qualitative techniques in parallel with
equal weight. In-depth data collection and analysis can be completed to facilitate
broader data collection using grounded theory and data modelling techniques.
Conflicts of Interest
The author declares no conflicts of interest regarding the publication of this pa-
per.
References
[1] Kissoon, T. (2019) Optimum Spending on Cybersecurity Measures.
Transforming
Government
:
People
,
Process and Policy
, 14, 417-431.
https://doi.org/10.1108/TG-11-2019-0112
[2] Dor, D. and Elovici, Y. (2016) A Model of the Information Security Investment De-
cision-Making Process.
Computer & Security
, 63, 1-13.
https://doi.org/10.1016/j.cose.2016.09.006
S. T. Kissoon
DOI:
10.4236/jis.2021.121007 161
Journal of Information Security
[3] Rue, R., Pfleeger, S. and Ortiz, D. (2007) A Framework for Classifying and Com-
paring Models of Cyber Security Investment to Support Policy and Deci-
sion-Making.
Sixth Workshop on the Economics of Information Security
, Pitts-
burgh, 7-8 June 2007, 1-23.
[4] Cavusoglu, H., Mishra, B. and Ragunathan, S. (2004) A Model for Evaluating It Se-
curity Investments.
Communications of the ACM
, 47, 87-92.
https://doi.org/10.1145/1005817.1005828
[5] Cavusoglu, H., Raghunathan, S. and Raghunathan, W. (2008) Decision-Theoretic
and Game-Theoretic Approaches to IT Security Investment.
Journal of Manage-
ment Information Systems
, 25, 281-304.
https://doi.org/10.2753/MIS0742-1222250211
[6] Gordon, L.A. and loeb, M.P. (2002) The Economics of Information Security In-
vestment.
ACM Transactions on Information and System Security
, 5, 438-457.
https://doi.org/10.1145/581271.581274
[7] Gordon, L.A., Loeb, M.P. and Zhou, L. (2016) Investing in Cybersecurity: Insights
from the Gordon-Loeb Model.
Journal of Information Security
, 7, 49-59.
http://dx.doi.org/10.4236/jis.2016.72004
[8] Huang, C.D., Hu, Q. and Behara, R.S. (2008) An Economic Analysis of the Optimal
Information Security Investment in the Case of a Risk-Averse Firm.
International
Journal of Production Economics
, 114, 793-804.
https://doi.org/10.1016/j.ijpe.2008.04.002
[9] Purser, S.A. (2004) Improving the ROI of the Security Management Process.
Com-
puters & Security
, 23, 542-546. https://doi.org/10.1016/j.cose.2004.09.004
[10] Finne, T. (1998) A Conceptual Framework for Information Security Management.
Computers & Security
, 17, 303-307. https://doi.org/10.1016/S0167-4048(98)80010-2
[11] Nazareth, D. and Choi, J. (2015) A System Dynamics Model for Information Secu-
rity Management.
Information & Management
, 52, 123-134.
https://doi.org/10.1016/j.im.2014.10.009
[12] Comes, T., Hiete, M., Wijngaards, N. and Schultmann, F. (2011) Decision Maps: A
Framework for Multi Criteria Decision Support under Severe Uncertainty.
Decision
Support System
, 52, 108-118. https://doi.org/10.1016/j.dss.2011.05.008
[13] Dutta, A. and Mccrohan, K. (2002) Managements Role in Information Security in a
Cyber Economy.
California Management
, 45, 67-87.
https://doi.org/10.2307/41166154
[14] Pettigrew, A. (2009). The Politics of Organizational Decision-Making. Routledge,
London.
[15] Easterby-Smith, M., Thorpe, R. and Jackson, P.R. (2015) Management & Business
Research. Sage, London.
... Similar to Santini et al. they base their estimations on currently known system vulnerabilities. Kissoon [18] also applies regression models to measure the effectiveness of current implemented cyber security measures in organisations. She uses internal variables such as risk appetite, security budget and loss after security breach obtained from surveys and interviews. ...
Article
Full-text available
A proper assessment of potential cyber threats is vital for security decision-making. This becomes an even more challenging task when dealing with new system designs and industry sectors where there is little or no historical data about past security incidents. We have developed a threat likelihood estimation approach that supports risk management under such circumstances. Quantifiable conditions are determined from the environment in which the system will reside and operate, that is the availability of potential threat actors, their opportunities of performing attacks, the required means that are needed for the attack to succeed, and motivation factors. Our research method follows the principles of practice research where both researchers and practitioners have played central roles in a real-life development project for a maritime communication system. We used a qualitative case study for feature-based evaluation of the approach and associated tool template, and to gather evidence on practical aspects such as suitability for purpose, efficiency and drawbacks from five user groups. The results show that representative participants from the cyber security and maritime community gave positive and consistent scores on the features, and regarded time usage, traceability of the threat assessment and the ability to indicate underlying uncertainty to be very appropriate. The approach has been proven useful for this domain and should be applicable to others as well, but the template requires up-front investments in gathering knowledge that is relevant and reusable in additional context situations.
Article
Full-text available
Given the importance of cybersecurity to the survival of an organization, a fundamental economics based question that must be addressed by all organizations is: How much should be invested in cybersecurity related activities? Gordon and Loeb [1] presented a model to address this question, and that model has received a significant amount of attention in the academic and practitioner literature. The primary objective of this paper is to discuss the Gordon-Loeb Model with a focus on gaining insights for the model's use in a practical setting.
Article
Full-text available
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend at most a small fraction (1/e) of the expected loss due to a security breach.
Article
Purpose This purpose of this paper is to provide insight through analysis of the data collected from a pilot study, into the decision-making process used by organizations in cybersecurity investments. Leveraging the review of literature, this paper aims to explore the strategic decisions made by organizations when implementing cybersecurity controls, and identifies economic models and theories from the economics of information security, and information security investment decision-making process. Using a survey study method, this paper explores the feasibility for development of a strategic decision-making framework that may be used when evaluating and implementing cybersecurity measures. Design/methodology/approach A pilot study was conducted to evaluate the ways in which decisions are made as it relates to cybersecurity spending. The purpose of the pilot study was to determine the feasibility for developing a strategic framework to minimize cybersecurity risks. Phase 1 – Interview Study: The qualitative approach focused on seven participants who provided input to refine the survey study questionnaire. Phase 2 – Survey Study: The qualitative approach focused on information gathered through an online descriptive survey study using a five-point Likert scale. Findings The literature review identified that there is limited research in the area of information security decision making. One paper was identified within this area, focusing on the research completed by Dor and Elovici [22]. This exploratory research demonstrates that although organizations have actively implemented cybersecurity frameworks, there is a need to enhance the decision-making process to reduce the number and type of breaches, along with strengthening the cybersecurity framework to facilitate a preventative approach. Research limitations/implications The partnership research design could be expanded to facilitate quantitative and qualitative techniques in parallel with equal weight, leveraging qualitative techniques, an interview study, case study and grounded theory. In-depth data collection and analysis can be completed to facilitate a broader data collection which will provide a representative sample and achieve saturation to ensure that adequate and quality data are collected to support the study. Quantitative analysis through statistical techniques (i.e. regression analysis) taking into account, the effectiveness of cybersecurity frameworks, and the effectiveness of decisions made by stakeholders on implementing cybersecurity measures. Practical implications This exploratory research demonstrates that organizations have actively implemented cybersecurity measure; however, there is a need to reduce the number and type of breaches, along with strengthening the cybersecurity framework to facilitate a preventative approach. In addition, factors that are used by an organization when investing in cybersecurity controls are heavily focused on compliance with government and industry regulations along with opportunity cost. Lastly, the decision-making process used when evaluating, implementing and investing in cybersecurity controls is weighted towards the technology organization and, therefore, may be biased based on competing priorities . Social implications The outcome of this study provides greater insight into how an organization makes decisions when implementing cybersecurity controls. This exploratory research shows that most organizations are diligently implementing security measures to effectively monitor and detect cyber security attacks. The pilot study revealed that the importance given to the decisions made by the CIO and Head of the Business Line have similar priorities with regard to funding the investment cost, implementing information security measures and reviewing the risk appetite statement. This parallel decision-making process may potentially have an adverse impact on the decision to fund cybersecurity measures, especially in circumstances where the viewpoints are vastly different . Originality/value Cybersecurity spend is discussed across the literature, and various approaches, methodologies and models are used. The aim of this paper is to explore the strategic decision-making approach that is used by organizations when evaluating and implementing cybersecurity measures. Using a survey study method, this paper explores the feasibility for development of a strategic decision-making framework that may be used when evaluating and implementing cybersecurity measures.
Article
Following recent developments affecting the information security threat landscape, information security has become a complex managerial issue. Using grounded theory, we present a conceptual model that reflects the most up-to-date decision-making practices regarding information security investment in organizations for several industries. The framework described in this article generalizes the current decision-making processes, while taking into consideration that organizations may differ in many respects, including: the stakeholder that administers the information security budget, the Chief Information Security Officer's (CISO) role in the organization, the organization's industry sector, the organizational structure, and so on. Our findings indicate that the information security investment decision-making process contains 14 phases and 16 concepts that affect and are affected by these phases. The study shows that the decision-making process is heavily biased by different organizational and psychological factors. The conceptual model derived can assist decision makers/stakeholders in performing, reviewing, and manipulating the decision-making process in their organizations. It can also assist vendors and consultants in understanding and prioritizing various aspects of their sales cycle.
Article
Managing security for information assets is a critically important and challenging task. As organizations provide clients with ubiquitous access to information systems, and the frequency and sophistication of security threats grows, the need to provide security assumes greater importance. Effective information security management requires security resources be deployed on multiple fronts, including attack prevention, vulnerability reduction, and threat deterrence. Using a system dynamics model, this research evaluates alternative security management strategies through an investment and security cost lens, to provide managers guidance for security decisions. Results suggest that investment in security detection tools has a higher payoff than deterrence investment.
Article
Information security is not a technical issue; it is a management issue. It rests on three cornerstones—critical infrastructures, organization, and technology. While critical infrastructures are beyond the direct control of the organization, balancing them is a critical component of corporate governance. Total security is neither technically feasible nor operationally practicable. Therefore the organization must determine what information assets must be protected and the degree of protection to be provided for them. As Internet-based commerce diffuses through society, there will be decreasing tolerance on the part of customers for losses stemming from perceived or actual cyber vulnerabilities. Only senior management can initiate the plans and policies that address the different aspects of security in a balanced and integrated manner. Leaving security primarily to the IT function will strengthen just one of the cornerstones—namely, technology—and will not yield the intended results. Security lapses are management failures more than technical failures. This article presents an organizational security approach that senior managers can use as a roadmap to initiate security plans and policies and audit their implementation.
Article
The threat to cyber security is real and growing. Organizations of all kinds must take protective measures, but effective resource allocat ion is difficult. This situation is due in part to uncertainty about the nature and severity o f threats and vulnerabilities, as well as about the effectiveness of mitigating measures. A v ariety of models have been proposed to aid decision makers. We describe a framework to analyze and compare models, and illustrate our framework with an analysis of three commonly-used types of models.
Article
This paper presents an analysis of information security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utility theory, we find that for a risk-averse decision maker, the maximum security investment increases with, but never exceeds, the potential loss from a security breach, and there exists a minimum potential loss below which the optimal investment is zero. Our model also shows that the investment in information security does not necessarily increase with increasing level of risk aversion of the decision maker. Relationships between vulnerability and investment effectiveness and two broad classes of security breach probability functions are examined, leading to interesting insights that can be used as guidelines for managers to determine the optimal level of security investment for certain types of security threats faced by risk-averse firms. Future research directions are discussed based on the limitations and possible extensions of this study.