Methodologies for Evaluating Information Security Investments - What Basel II Can Change in the Financial Industry

The New Basel Capital Accord (Basel II) will include operational risk to the calculation of necessary regulatory capital in financial institutions after year-end 2006. Most of the banks have already developed sophisticated risk management frameworks helping to quantify and manage operational risk. Information security has direct impact on operational risk, but risk managers consider Information Systems (IS) related risks not enough by now. This problem mainly depends on the variety of methods used by security managers to evaluate systems security and to develop security concepts. Even little efforts would enable information security officers to quantify the benefits of information security investments using operational risk quantification methods. The security community has not yet addressed this opportunity. The article discusses models used for decisions about security investments known from the field of security economics and accounting and illustrates the problems by applying these models. Based on a general operational risk management framework of a bank, this article introduces a new approach using accepted risk management methods

A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory

The protection of information technology (IT) has become and is predicted to remain a key economic challenge for organizations. While research on IT security investment is fast growing, it lacks a theoretical basis for structuring research, explaining economic-technological phenomena and guide future research. We address this shortcoming by suggesting a new theoretical model emerging from a multi-theoretical perspective adopting the Resource-Based View and the Organizational Learning Theory. The joint application of these theories allows to conceptualize in one theoretical model the organizational learning effects that occur when the protection of organizational resources through IT security countermeasures develops over time. We use this model of IT security investments to synthesize findings of a large body of literature and to derive research gaps. We also discuss managerial implications of (closing) these gaps by providing practical examples

MODELO PARA LA ESTIMACIÓN DEL RETORNO DE LA INVERSIÓN DE CIBERSEGURIDAD EN ESCENARIOS DE ATAQUES POR CRYPTO-MALWARE EN UNA EMPRESA DEL SECTOR FINANCIERO

Las empresas en el sector financiero sufren ciberataques cada día debido a que manejan altas cantidades de dinero. Algunas de estas empresas buscan invertir en ciberseguridad en los próximos años o ya han realizado dicha inversión. A pesar de esto, muchas de estas no realizan la inversión necesaria y muchas otras se cuestionan si es necesario continuar con dicha inversión. A raíz de esto, muchas se hacen la siguiente pregunta: “¿Cuál es el valor del retorno de la inversión en la implementación de controles de ciberseguridad para el sector financiero contra las nuevas amenazas emergentes y cuáles son los programas más adecuados con sus respectivos beneficios que puedan traer a futuro para la organización? El presente trabajo expuesto a continuación tiene como finalidad mostrar la implementación de un modelo de retorno de inversión en ciberseguridad, especializado para casos de crypto-malware. Es decir, facilitar una herramienta que sirva para comprobar que dichas inversiones son de utilidad para la mitigación de ataques cibernéticos. La presente investigación se centra en el entendimiento de metodologías de ciberseguridad y en técnicas de mitigación de riesgos avanzadas dando como resultado un modelo que se alimenta de inputs basado en controles de ciberseguridad mostrando como resultado un modelo con índice de éxito alto. Finalmente, para la validación se realizará una encuesta a expertos en ciberseguridad de distintas entidades financieras para poder demostrar que el modelo es aceptable.Companies in the financial sector suffer cyber-attacks every day because they handle large amounts of money. Some of these companies are looking to invest in cybersecurity in the coming years or have already made such an investment. Despite this, many of these do not make the necessary investment and many others question whether it is necessary to continue with said investment. As a result of this, many are asking the following question: “What is the value of the return on investment in the implementation of cybersecurity controls for the financial sector against new emerging threats and what are the most appropriate programs with their respective benefits? What can they bring to the future for the organization? The purpose of the present work presented below is to show the implementation of a return-on-investment model in cybersecurity, specialized for cases of crypto-malware. That is, provide a tool that serves to verify that these investments are useful for mitigating cyber-attacks. This research focuses on the understanding of cybersecurity methodologies and advanced risk mitigation techniques, resulting in a model that is fed by inputs based on cybersecurity controls, resulting in a model with a high success rate. Finally, for validation, a survey will be carried out among cybersecurity experts from different financial entities to demonstrate that the model is acceptable.Trabajo de Suficiencia Profesiona

METHODOLOGIES FOR EVALUATING INFORMATION SECURITY INVESTMENTS- WHAT BASEL II CAN CHANGE IN THE FINANCIAL INDUSTRY

The New Basel Capital Accord (Basel II) will include operational risk to the calculation of necessary regulatory capital in financial institutions after year-end 2006. Most of the banks have already developed sophisticated risk management frameworks helping to quantify and manage operational risk. Information security has direct impact on operational risk, but risk managers consider Information Systems (IS) related risks not enough by now. This problem mainly depends on the variety of methods used by security managers to evaluate systems security and to develop security concepts. Even little efforts would enable information security officers to quantify the benefits of information security investments using operational risk quantification methods. The security community has not yet addressed this opportunity. The article discusses models used for decisions about security investments known from the field of security economics and accounting and illustrates the problems by applying these models. Based on a general operational risk management framework of a bank, this article introduces a new approach using accepted risk management methods

Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms’ investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis

Оцінювання рівня загроз на рівні інвестицій в кібербезпеку для виробничої інфраструктури

Об’єктом дослідження є сфера кібербезпеки відносно потенційних загроз. Предмет досліджень є методики оцінки Cy-VaR. Методи дослідження – аналіз методики оцінки Cy-VaR. Метою роботи є вирішення проблеми застосування оцінки Cy-VaR на конкретних потенційних загрозах організації. Результати роботи можуть використовуватися для проведення дослідження по оцінці Cy-VaR на конкретній компанії.The object of the study is the cybersecurity of potential threats. The subject of the research is the analysis of the Cy-VaR assessment methodology. Research methods - analysis of Cy-VaR assessment methods. The aim of the work is to solve the problem of applying Cy-VaR assessment to specific potential threats to the organization. The results of the work can be used to conduct research on Cy-VaR estimates for a specific company

Identifying Factors Contributing Towards Information Security Maturity in an Organization

Information security capability maturity (ISCM) is a journey towards accurate alignment of business and security objectives, security systems, processes, and tasks integrated with business-enabled IT systems, security enabled organizational culture and decision making, and measurements and continuous improvements of controls and governance comprising security policies, processes, operating procedures, tasks, monitoring, and reporting. Information security capability maturity may be achieved in five levels: performing but ad-hoc, managed, defined, quantitatively governed, and optimized. These five levels need to be achieved in the capability areas of information integrity, information systems assurance, business enablement, security processes, security program management, competency of security team, security consciousness in employees, and security leadership. These areas of capabilities lead to achievement of technology trustworthiness of security controls, integrated security, and security guardianship throughout the enterprise, which are primary capability domains for achieving maturity of information security capability in an organization. There are many factors influencing the areas of capabilities and the capability domains for achieving information security capability maturity. However, there is little existing study done on identifying the factors that contribute to achievement of the highest level of information security capability maturity (optimized) in an organization. This research was designed to contribute to this area of research gap by identifying the factors contributing to the areas of capabilities for achieving the highest level of information security capability maturity. The factors were grouped under the eight capability areas and the three capability domains in the form of an initial structural construct. This research was designed to collect data on all the factors using an online structured questionnaire and analyzing the reliability and validity of the initial structural construct following the methods of principal components analysis (PCA), Cronbach Alpha reliability analysis, confirmatory factor analysis (CFA), and structural equation modeling. A number of multivariate statistical tests were conducted on the data collected regarding the factors to achieve an optimal model reflecting statistical significance, reliability, and validity. The research was conducted in four phases: expert panel and pilot study (first phase), principal component analysis (PCA) and reliability analysis (RA) of the factor scales (second phase), confirmatory factor analysis (CFA) using LISREL (third phase), and structural equation modeling (SEM) using LISREL (fourth phase). The final model subsequent to completing the four phases reflected acceptance or rejection of the eleven hypotheses defined in the initial structural construct of this study. The final optimized model was obtained with the most significant factors loading on the capability areas of information integrity, information security assurance, business enablement, security process maturity, security program management, competency of security team, security conscious employees, and security leadership, including the most significant factors loading the three capability domains of security technology trustworthiness, security integration, and security guardianship. All the eleven hypotheses were accepted as part of the optimal structural construct of the final model. The model provides a complex integrated framework of information security maturity requiring multi-functional advancements and maturity in processes, people, and technology, and organized security program management and communications fully integrated with the business programs and communications. Information security maturity is concluded as a complex function of multiple maturity programs in an organization leading to organized governance structures, multiple maturity programs, leadership, security consciousness, and risk-aware culture of employees

The Role of Information Security Awareness for Promoting Information Security Policy Compliance in Banks

Banks rely heavily on information security (IS) by preserving confidentiality, integrity, and availability of information. A key layer for ensuring information security is the employees, who need to be aware of possible information security issues and behave accordingly. Banks introduce information security policies (ISP) to establish required rules for IS behavior and implement information security awareness (ISA) programs, which are systematically planned ISA interventions such as structured campaigns using intranet messages or posters to educate employees and enhance their ISA. According to previous conceptual research, the most cost-effective method to prevent IS incidents is fostering ISA. The purpose of this dissertation is to explore the role of ISA for promoting employees' ISP compliance. The four stages of this dissertation project focus on organizational efforts such as ISA programs to improve employees' compliant IS behavior and identifying predecessors for explaining employees' ISP compliance based on established scientific theories. A developmental mixed methods approach is conducted through these four stages of analysis. Primary data were collected in each stage to investigate banks operating in countries such as Austria, Germany, Czech Republic, Hungary, Slovakia, and Rumania. In the first research stage, semi-structured expert interviews were conducted with operational risk and IS managers to explore banks' efforts to counteract IS incidents. The considered banks primarily use online methods such as intranet articles and conventional methods such as posters for building ISA. Second, the findings from stage one were incorporated in research stage two, in which a positivistic case study was conducted to test the Theory of Reasoned Action, Neutralization Theory, as well as the Knowledge-Attitude-Behavior model. The data were analyzed by utilizing partial least squares structural equation modeling (PLS-SEM). In addition to several qualitative interviews and an online survey at the headquarters of the case bank, data such as internal ISA materials (e.g., posters or IS intranet messages) were also analyzed. The second research stage provided empirical evidence that ISA program components affect employees' ISA, which further positively affects employees' attitudes and social norms toward compliance with ISPs, but negatively affects the use of neutralization techniques. All of these effects should eventually positively influence IS. This is shown in the chain of subsequent factors. The employees' attitudes and social norms positively affect the intention for compliant IS behavior, which is negatively affected by the use of neutralization techniques. In the third research stage, the influence of employees' perception of ISA programs on the Protection Motivation Theory was examined by conducting an online survey among German bank employees. It is demonstrated that employees' perception of ISA programs positively affects perceived severity as well as their coping mechanisms, which play the most important role in positively affecting the intention for compliant IS behavior. Surprisingly, employees' perception of ISA programs negatively affect perceived vulnerability. Moreover, perceived monitoring has a positive moderation effect on the intention-behavior link. Finally, the fourth research stage consists of a qualitative study to analyze the efforts of IS managers to enhance IS and examine how these efforts are perceived by users. Further, the inductive part of the study uncovers factors that influence the compliant IS behavior of users. Therefore, semi-structured interviews with IS managers were carried out to discover ISA program designs and categorize them according to design recommendations gained from current literature. In addition, this stage shows that individual ISP compliance seems to be connected with individual perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. To conclude, this dissertation provides several practical as well as theoretical contributions. From an academic perspective, the findings highlight the importance of attitudes, social norms, neutralization techniques, as well as coping mechanisms for employees' intentions to comply with their ISP. Future research might extend the findings by establishing and characterizing IS enhancing social norms and exploring methods of counteracting the common use of neutralization techniques. For practitioners, analysis of the design practices of ISA programs provides a better understanding of effectively using ISA interventions in the context of banks. (author's abstract