mipro 2012 presentation -aksentijevic tijan hlaca
Post on 04-Apr-2018
219 Views
Preview:
TRANSCRIPT
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
1/12
Click to edit Master subtitle style
MIPRO 2012Investment Analysis of Information Security Management in Croatian SeaportsSaa Aksentijevi, Edvard Tijan, Bojan Hlaa
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
2/12
The Problem
Existing models of Information Security Management Systems in seaports usually involvethreat evaluation, vulnerability management and risk analysis.
Very often all three possible approaches are devoid of economic and financial analysis ofseaport information security investments.
A combined model is required which includes both technical and financial approach toinformation security management and decision-making in Croatian Port CommunitySystems.
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
3/12
Seaport ISMS Overview
Composed of the following components related in a hierarchical manner:
1. Organizational forms, ensuring alignment with legal requirements
2. Organizational information policy (often formalized by security certification)
3. Computer and network hardware
4. Computer software and solutions
Each of these components is related to capital investments or operative costs.
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
4/12
Seaport ISMS investment input
parameters
ISMS investments depend on risk assesment as a technicaldiscipline and often lack quantitative financial indicators
High level of substition of ISMS investments that can beconsidered either investments or running costs (cloud computingsolutions, SaaS)
Possibility of vendor lock-in
Difficult determination of ISMS solution residual value after itsuseful life
High probability of lack of internal professional resources
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
5/12
Variables in economic and financialanalysis of seaport ISMS
investments Initial investment in information solution or project
Cost of maintenance of information security solution
Material cost of operation (electricity, air conditioning) Cost of external solutions and services (example: consultancy)
Cost of employee education during operation Gross equivalent of employee salaries during implementation
Cash flow analysis also includes source of ISMS project financing
and obligations towards those sources (interest). It also includestime value of money.
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
6/12
Cash flow analysis of seaport ISMS
investments
The following methods can be successfuly used in ISMS cash flow analysis:
1.
Investment time to return (number of years needed to recoverinformation security investment)
2. Method of discounted investment time to return (if time value of moneyhas to be incorporated in analysis)
3. Net present value method
4. Information security solution internal profitability rate
5.
Profitability index
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
7/12
Usage of internal rate of return (RoR)
in seaport ISMS investments
Discount rate pairing investments with pure cash flows has to be bigger than defineddiscount rate depending on risks and cost of capital. Considerations are the following:
Cannot be used to decide between different investments
Anticipates reinvesting positive net cash flow into project having equal RoR
It is assumed that problem of multiple RoR does not exist
It provides only relative measurement of ISMS investment, not its absolute value
Very sensitive to the project duration, ability of security solution to generate positive cashflow and used discount rate.
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
8/12
Alternative evaluation methods
Modern Portfolio Theory (MPT), modified to use particulardistribution curve suited to a set of ISMS solutions (projects)
Analytic Hierarchy Process (AHP) method, paying attention tolow levels of Consistency Ratio (CR typically has to be lessthan 10 %)
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
9/12
Integrated model of seaport ISMS
investment decision-making
Planning of ISMS using only technical criteria does not lead todesirable outcome (devoid of financial impact and criteria)
Planing of seaport ISMS relying on risk analyis may lead to over-or under- investment in solutions
Integrated model includes technical criteria, risk analysis andReturn on Security Investment Calculation
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
10/12
Methods of evaluation (1/2)
Method of
evaluation
Comp-
lexity
Relia-
bility
Constraints Applicability
Economic
analysis
low low - static
- does not
account for
time value of
money
- high
- immediate
Financial
analysis
med. med. - dynamic
- accounts for
time value of
money
- highlysensitive to
anticipated
discount rate
- high
- immediate
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
11/12
Methods of evaluation (2/2)
Internal
rate of
return
med. high -dynamic-can bemisguiding
-best usedwith other
profitabilityindicators-may yield
several ratesof return
-cannot beused to
comparedifferent
informationsecurity
projects
- applicable, ifevaluation of
perceived cost
of securityincident can be
obtained
MPT high high -very
complex-requires
determinationof correctdistrubutionand
adaptation ofthe model
- applicable, if
there isavailable
commercialdatabase ofsecurityincident
distribution or ifthe port
community iscollecting itsdata over past
period of time
-
7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca
12/12
Conclusion
Two opposed perspectives have to be joined: techno centric one, insisting on concept oftotal security and financial one, insisting on rational investments resulting in satisfactoryand measurable return. The balance between two perspectives is a key in decisionmaking: the shift of this balance in either way results in the diminished financial
performance of the seaport or the implicit acceptance of too high and unreasonable risklevels.
The basic assumption has to be maintained throughout quantification process, regardless ofthe chosen method: the summary cost of information security implementation has tooutweight the summary loss caused by security incidents.
top related