Aerial Dance in Berlin

www.adrianmizzi.com

I have moved to a new domain name: www.adrianmizzi.com

Interview with Terry Martin (GIAC/SANS)

SANS was interested in my work. They arranged an interview which you can read here. The interview was titled ROISI overview and addressed some aspects of the model. Many thanks to Terry Martin for conducting the interview.

This interest was one of the reasons that I decided to publish the final dissertation.

Review sample pages from the thesis by clicking here.

Get an e-book or a printed copy by clicking here.

Dissertation available for download.

Upon general request the Return on Information Security Investment dissertation is available for download. You may download it in e-book format or in printed format.

8 New languages

The http://www.geocities.com/amz/ site is now available in the following languages: German, Portuguese, Spanish, French, Italian, Japanese (BETA), Chinese(BETA) and Korean(BETA). Many thanks to google for providing the online translator.

InfoSec Writers

InfoSec writers have published Return on Information Security Investment paper on their website. You may want to vote for it!

Return on Information Security Investment - Paper

I have published on my website a draft paper entitled "Return on Information Security Investment - Are you spending enough? Are you spending too much?" Readers are encouraged to send feedback to amz@yahoo.com

Free GOOGLE gmail account

A GOOGLE gmail account will be donated to the first 5 persons (who do not remain anonymous) who fill in the Questionnaire at Return on Information Security Investment Questionnaire. The submissions will be verified.

Information Security - Questionnaire

Information Security - Questionnaire

This questionnaire quickly analyses whether you are over or underspending in your IT Security expenditure. By entering the amount you spend on protecting your IT assets and estimating the possibility of a threat - depending on the nature of your business, you will get a rough estimate of whether you are overspending or not. It will only take 2 minutes of your time to get started.

Definitions

Vulnerability: Any characteristic of a computer system that allows an individual to keep it from correctly operating, or that will allow unauthorized users take control of the system. A design, administrative, or implementation weakness or flaw in hardware, firmware, or software. If exploited, a vulnerability could lead to an unacceptable impact in the form of unauthorized access to information or disruption of critical processing.

Attack: 1) A discrete malicious action of debilitating intent inflicted by one entity upon another. A threat might attack a critical infrastructure to destroy or incapacitate it. 2) Intentional attempt to bypass the physical or information security measures and controls protecting an IS.

NoticeBored Links to my site

Today, http://www.noticebored.com/html/general.html made a link to my website: http://www.geocities.com/amz/ . Many thanks to Dr. Hinson for his suggestions and for maintaining the resourceful website at http://www.noticebored.com/.

Research Aim and Objectives

Return on Information Security Investment

1. To investigate the different information security techniques that can be applied in an organisation and to identify the differences between the scenarios in question
2. To measure the ROSI of a security system deployed in an arbitrary company
3. To identify more cost effective methods of implementing Information Security in an organisation.
4. To determine a minimal security infrastructure dependent on the nature of the business.
5. To define an effective information security strategy that is suitable for Small and Medium-Sized Enterprises in the Maltese community

Log Book

Added a Log Book outlining the progress of the research. Useful to keep track of the status quo of the ongoing research.

Return on Information Security Investment

HOW MUCH IS ENOUGH? HOW MUCH IS TOO MUCH!

http://www.geocities.com/amz/ gives the answer

My new website will help the information security practitioner assess the costs required to implement information security in an organisation and the returns that are obtained from such an investment. The research will be used in an MBA dissertation that is currently in progress.

If you are interested in this subject area write back to mailto:amz@yahoo.com?subject=ROISI. I have compiled an extensive compendium of links related to security , return on information security investment and other related topics.

To help in the research, kindly fill in the questionnaire, it will only take 2 minutes of your time. You will also receive a FREE pdf chart with an analysis of your current information security expenditure program. You may want to review the organisational model before completing the questionnaire.

Introduction and Rationale

As more and more organisations seek electronic ways of doing business, in particular by connecting to the Internet, they are recognising the need to do so in a secure way. According to (Scalet 2002) information security is an increasingly high-profile problem, as hackers take advantage of the fact that organizations are opening parts of their systems to employees, customers and other businesses via the Internet. More recently, (Cachia & Micallef 2004) in their ongoing research, conclude that security was the attribute perceived to be most important by online shoppers when conducting e-commerce transactions.
In surveys such as that of (Briney 2001) and (Briney & Prince 2002), it is evident that stringent IT budgets will only allow the applicability of a minimum subset of Information Security products and systems and thus it is necessary to prioritise in accordance with business objectives. To date, little is known as to what the minimal subset should be and frequently information security practitioners use a best practice approach, (Liss 2001), to determine the information security budgets. The work is more often technically oriented with little heed paid to the economic aspects (Gordon & Loeb 2002).
Although management is usually paranoid on risk management, it often takes Information Security as “for granted”, (BSI 2004), and is reluctant to invest in it, (Foster & Pacl 2002), barring the exceptional cases when the information system of the organisation is compromised.
Money spent in procedures may be less than that spent in security products themselves and this might result in cost savings, (Witty & Malik 2001), and other benefits, such as being a business enabler, (Liikanen 2004), to the company whilst maintaining the security level that the company enjoys.
Calculating the return on security investment (ROSI) may not be necessarily done in monetary terms as in (Berinato 2002), but can be analysed using techniques such as the balanced scorecard (Hunt & Symons 2003). The business will be then in a position to understand whether it is under-spending or over-spending in the area of information security, depending on the results obtained.

References

Bahadur, G. 2003, Developing Security Risk Metrics, Available: [http://www.foundstone.com/resources/downloads/webcast-121903/Developing_Security_Risk_Metrics.pdf] (18 April 2004).

Berinato, S. 2002, Finally, a Real Return on Security Spending, Available: [http://www.cio.com/archive/021502/security.html] (16 April, 2004).

Briney, A. 2001, '2001 Industry Survey', Information Security, pp. 34-47.

Briney, A. & Prince, F. 2002, '2002 ISM Survey', Information Security, pp. 36-54.

BSI 2004, BSI - short informations to current topics of IT Security, Available: [http://www.bsi.bund.de/english/fb/F30image_en.pdf] (17 April 2004).

Cachia, E. & Micallef, M. 2004, Towards Effectively Appraising Online Stores, Available: [http://www.cs.um.edu.mt/~csaw/Proceedings/00.pdf] (25 September 2004).

Foster, S. & Pacl, B. 2002, Analysis of Return on Investment for Information Security.

Gordon, L. A. & Loeb, M. P. 2002, 'The Economics of Information Security Investment', ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457.

Hunt, S. & Symons, C. 2003, Aligning Security with the Business: The Balanced Scorecard, Available: [http://www.csoonline.com/analyst/report816.html].

Karofsky, E. 2001, 'Return on Security Investment: Calculating the Security Investment Equation', Secure Business Quarterly, vol. 1, no. 2.

Liikanen, E. 2004, 'European Network Security', in CEBIT, 2004 edn, Hannover.

Liss, S. 2001, 'Practical Aspects of Information Security', InfoGroup NorthWest.

Scalet, S. D. 2002, Glossary, Security and Privacy Research Center, Available: [http://www.cio.com/research/security/edit/glossary.html] (18 April 2004).

Soo Hoo, K. J. 2000, 'How Much Is Enough? A Risk-Management Approach to Computer Security', Consortium for Research on Information Security and Policy (CRISP).

Witty, R. & Malik, W. 2001, 'Security TCO Model Helps with more than cost savings', Gartner FirstTake, no. FT-13-9070.