Abstract
Organizations know that investing in security measures is an important requirement for doing business. But how much should they invest and how should those investments be directed? Many organizations have turned to a risk management approach to identify the largest threats and the control measures that could mitigate those threats. These papers present a framework to help in an analysis of the costs and benefits of control measures. Based on a study of five distinct security areas – Identity Management, Network Access Control, Intrusion Detection Systems, Business Continuity Management and Data Loss Prevention – cost factors are identified for IT security, and whether a quantitative or qualitative approach should be taken for each cost factor. This study finds that even tough quantification methods are useful, organizations should not put their trust in such methods alone in the decision-making process for security measures.
Original language | Undefined/Unknown |
---|---|
Title of host publication | Proceedings of the AIS SIGSEC Workshop on Information Security & Privacy (WISP 2008) |
Publication status | Published - 13 Dec 2008 |