Evaluating information security investments from attackers perspective: the return-on-attack (ROA)
Altro
Data di Pubblicazione:
2005
Citazione:
Evaluating information security investments from attackers perspective: the return-on-attack (ROA) / M. Cremonini, P. Martini. ((Intervento presentato al 4. convegno WEIS tenutosi a Boston nel 2005.
Abstract:
Conducting a cost-benefit analyses of security solutions has always been hard, because the benefits are difficult to assess and often only a part of the overall cost is clear. Despite this, today the provision of economic evaluations of security technology investments is a requirement that more and more customers ask vendors to satisfy. In this paper, we consider the typical calculation of a
Return-On-Investment (ROI) index based on the evaluation of the Annual Loss Expectancy (ALE), as the one provided usually by vendors of IT security.
Our motivating assumption is that such classical index, the ROI, provides a partial characterization of investments in information security technology, because it lacks to explicitly consider attackers' behavior. We suggest that to better evaluate security technology investments, the ROI index should be coupled with a corresponding index aimed at measuring the convenience of attacks, the Return-On-Attack (ROA). Different conclusions could be reached by combining the two indexes and considering either the combination of different technologies or the possible degradation of a security solution's efficiency over time, as shown by means of some case studies and examples.
Tipologia IRIS:
14 - Intervento a convegno non pubblicato
Keywords:
security; economics; investments; cost-benefit; ROI
Elenco autori:
M. Cremonini, P. Martini
Link alla scheda completa: