Cybersecurity Games and Investments: A Decision Support Approach

Abstract. In this paper we investigate how to optimally invest in cyber-security controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cyber-security control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit dif-ferent vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms of indirect costs, its concerns about different kinds of threats and the im-portance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multi-ple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cy-bersecurity budget given their organization profile

Economic Valuation for Information Security Investment: A Systematic Literature Review

Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts

Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms’ investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis

Business Driven Information Security Measurement

Lähtökohtana tutkimukselle oli käytännön tarve tutkia, miten tietoturvallisuutta voidaan mitata sen hallinnoinnin näkökulmasta. Tutkimuksen tavoitteena oli kartoittaa, mitä tietoturvallisuuden tilaan liittyviä tietotarpeita yritysjohdolla ja tietoturvajohdolla on, jotta voidaan ymmärtää mitkä menestystekijät tietoturvallisuuteen vaikuttavat. Näiden menestystekijöiden kautta tavoitteena oli muodostaa liiketoimintalähtöinen mittaristo, joka tukee tietoturvallisuuden hallinnointia ja jonka avulla siitä voidaan viestiä johdolle. Asetettua tavoitetta pyrittiin ensin ymmärtämään teoriaosassa, jossa käsiteanalyyttisen tutkimusotteen avulla muodostettiin viitekehys empiriaosalle. Viitekehys muodostettiin kirjallisuudesta löydetyn mittariston suunnitteluprosessin ja tasapainotetun tuloskortin perusteella, joita tarkasteltiin tietoturvallisuuden hallinnoinnin näkökulmasta. Empiriaosion lähtökohtana, oli selvittää miksi tutkimuksen kohdeyrityksen tietoturvallisuutta mitattaisiin ja mitkä ovat tärkeimmät tietotarpeet mittaamisen kannalta. Näihin kysymyksiin etsittiin vastausta teemahaastattelun avulla. Haastatteluun osallistu kohdeorganisaation edustajia johtoryhmästä, operatiivisesta johdosta ja tietoturvaorganisaatiosta. Haastatteluissa kerätty aineisto analysoitiin, minkä perusteella suunniteltiin mittaristo. Suunniteltua mittaristoa arvioitiin sekä kohdeyrityksen että kirjallisuuden näkökulmasta. Empiriaosiossa käytettiin tutkimusotteena toimintatutkimusta. Tietoturvallisuuden holistisen tason mittaaminen on liiketoimintalähtöistä, joka perustuu esimerkiksi asiakkaiden vaatimuksiin tai muihin liiketoiminnan tietoturvallisuutta ohjaaviin vaatimuksiin. Nämä vaatimukset tulee huomioida osana sisäistä toimintaa ja ohjata toimintaa niiden mukaisesti. Kohdeyrityksen tietoturvallisuuden kannalta on tärkeää, että tietoturvallisuus huomioidaan tuotekehityksessä ja palveluita ylläpitävien prosessien osana. Ongelmaksi havaittiin, että kohdeyritys ei ole liiketoimintalähtöisesti asettanut tavoitetta tietoturvallisuudelle tai osoittanut sille kehitysvaatimuksia. Asiakasvaatimusten täyttämisen osoittaminen, laatu tuotekehityksessä ja sisäisessä tietoturvallisuudessa, toimialavertailu, palvelutason ylläpitäminen sekä tietoriskien esiintuominen osoittautuivat selkeiksi mittauksen kohteiksi. Tutkimuksen tärkeimmät tulokset olivat tietoturvamittaristo, joka kuvailee kohdeyrityksen tietoturvallisuutta liiketoimintalähtöisesti, ja mittariston kehitysprojekti, jonka avulla voidaan muodostaa organisaation tietoturvallisuuden tilaa holistisella tasolla kuvaileva mittaristo. Mittariston avulla voidaan ymmärtää, mikä tietoturvallisuuden hallinnoinnin kannalta on liiketoiminnan näkökulmasta tärkeintä ja miten asetettuja tavoitteita saavutetaan.The starting point for this research was a need for creating a holistic level security metrics from information security governance point of view. The goal of the research was to understand what management level needs to know about information security to support its governance. This was the way to understand the key performance indicators that affect the information security and create criteria for measuring information security based on indicators. The research was divided into two parts: theoretical and empirical part. First, a conceptual research approach was used to understand the fundamentals of research topic and to create a theoretical framework for research. The framework consists of planning process for metrics system and a balanced scorecard. These were scrutinized from an information governance point of view. Then, an action science research approach was used to conduct the empirical part. First object in empirical part was to clarify why information security should be measured in the target company and what are the key performance indicators. Eight interviews were conducted to gain answers to these questions. The interview results were analyzed and a metric system was planned based on analysis. The metrics system was assessed both from literature and target company point of view. Measuring the information security in holistic level must be business orientated and it must take customer needs or other parties’ compliance needs into consideration at the internal operations. The target company wants to pay more attention to information security in its product development and conduct information security as a part of the processes that runs theirs services. A problem considering this is that the target company’s management level haven’t set goals for companywide information security nor pointed out what are the most important information security issues to develop. The most important information security performance indicators found in research were compliance to customer needs, quality in product development and internal security operations, benchmark score, service level, and ability to identify information security related risks. There were two important results in the research. First result was a project for developing a holistic level security metrics system, which can be used to describe the state of information security. Second result was the metrics system itself, which supports the information security governance and reporting of information security. The target company should point out companywide information security goals and point out personnel’s responsibility to support them in order to be able to measure their information security

Determining the Cost of Business Continuity Management - A Case Study of IT Service Continuity Management Activity Cost Analysis

This single organisation case study discusses the cost of business continuity management in IT services. Information technology (IT) expenses can amount to a substantial part of operational costs in a company, and IT leaders tend to aim for thorough IT cost management to meet financial targets. Thus, information security activities such as business continuity management (BCM) rank among the most important concerns for IT leaders. Despite the concerns of IT management, senior management appears to be hesitant to spend on BCM as much as IT management would hope for. Senior management may struggle with the question of how to justify spending on an activity that proves its usefulness only when a rare event occurs. The challenge for measuring costs of sociotechnical activities was the inspiration for this work – to find out whether the cost of business continuity management (BCM) could be explained better to help decision making. Two main paradigms emerged from literature – BCM activities in the context of organisational routines, and IT cost and information security cost classifications. The theoretical assumption was that the relationship between IT costs and BCM activities emulates the activity- based costing theory (ABC) – the premise of cause-and-effect relationship between activities and costs. The key question is “How to determine the cost of BCM activities in IT services?” To find out, I used comprehensive archival data set from a case company and designed a retrospective quantitative model to analyse the association between BCM activities and IT costs. By employing causal-comparative method and multiple linear regression analysis, I compared distinct groups of IT services to determine how much of the variation in IT costs could be explained by BCM activities. In addition, I measured the relative effect of each independent variable towards the total cost of BCM. As both statistical and practical significance test results were supported, several interesting results were observed between BCM activities and IT costs – namely human, technology and organisational resources, as well as IT service designs. The research presents two theoretical contributions and one empirical contribution to the theory. The first and primary contribution is the BCM activity cost model. This is the final product for the main research question of determining the cost of BCM in IT services. The second contribution is the total cost of BCM framework. This framework contributes to the broader academic discussion of information system (IS) cost taxonomies in IT services and information security. The third contribution is empirical confirmation how to observe unknown cost effects by multiple regression analysis. Learnings from this research can contribute IS researchers focused on the economic aspects of IS and IT. The research also introduces three practical contributions. The first one considers the observation of overall BCM cost effects on IT services. Although the results of a single case study cannot be generalized directly to every organization, information herein may aid companies to evaluate BCM impact on their budgets. The second practical contribution considers the challenges regarding measurement of activity costs that can be difficult to observe directly. Within the limitations of this research, nothing here suggests that the BCM activity cost model could not be productized and integrated into other cost appraisal tools in a company or applied in other IT service management areas. The last important practical contribution are the definitions of BCM activity cost variables. Confirming the cost association between theoretical and empirical BCM frameworks can help BCM professionals to promote BCM process.Tämä yhden organisaation tapaustutkimus pohtii jatkuvuudenhallinnan kustannusten osuutta tietojärjestelmäpalveluissa. Informaatioteknologian (IT) kustannukset saattavat muodostaa merkittävän osa yrityksen menoista, ja IT-johtajat pyrkivät yleensä tarkkaan kulujenhallintaan saavuttaakseen yrityksen taloudelliset tavoitteet. Siksi tietoturva-aktiiviteetit kuten jatkuvuudenhallinta (business continuity management, BCM) ovat heidän olennaisimpia huolenaiheitaan. IT-johtajien huolista huolimatta ylin johto ei yleensä ole kovin innokas panostamaan BCM:ään niin paljon kuin IT-johto toivoisi. Ylin johto saattaa tuskailla sen kanssa, miten perustella kulut toimiin, joita kaivataan vain harvinaisissa poikkeustilanteissa. Sosioteknisten kulujen mittaamisen haaste antoi inspiraation tälle tutkimukselle; tavoite oli selvittää, olisiko mahdollista selittää BCM-kustannuksia paremmin päätöksenteon tueksi. Kirjallisuudesta nousee esiin kaksi keskeistä aihepiiriä: BCM organisaation toimintatapojen kontekstissa sekä IT-ja tietoturvakulujen luokittelu. Teoreettinen oletus oli, että IT-kulujen ja BCM- toimenpiteiden suhde emuloi toimintolaskennan (activity-based costing, ABC) teoriaa – se, että toimenpiteiden ja kulujen välillä on syy-seuraussuhde. Avainkysymys on ”Miten määritellä BCM- toimenpiteiden kulut IT-palveluissa?” Tämän selvittämiseksi käytin kattavaa arkistodataa caseyhtiöstä ja kehitin retrospektiivisen kvantitatiivisen mallin analysoidakseni BCM-toimenpiteiden ja IT-kulujen suhdetta. Kausaalis-komparatiivisen metodin ja lineaarisen regressioanalyysin avulla vertailin erilaisia IT-palvelujen ryhmiä selvittääkseni missä määrin BCM-toimenpiteet voisivat selittää IT-kulujen vaihtelua. Lisäksi mittasin jokaisen muuttujan suhteellisen vaikutuksen BCM:n kokonaiskustannuksiin. Kun sekä tilastolliset että käytännölliset testitulokset huomioitiin, BCM- toimenpiteiden ja IT-kulujen suhteesta ilmeni useita kiinnostavia tuloksia: sekä inhimillisiä että teknologia- ja organisaatioresursseihin ja IT-palvelujen muotoiluun liittyviä. Tutkimus tuotti kaksi teoreettista kontribuutiota sekä yhden empiirisen todistuksen teorialle. Ensimmäinen ja olennaisin näistä on BCM-toimenpiteiden kustannusmalli. Tämä lopputuotos vastaa tutkielman avainkysymykseen BCM-kuluista IT-palveluissa. Toinen kontribuutio on BCM-kehyksen kokonaishinta. Tämä voi ruokkia laajempaa akateemista keskustelua tietojärjestelmien (information system, IS) kustannustaksonomioista IT- palveluissa ja tietoturvassa. Kolmas kontribuutio, empiirinen todistus, osoittaa epäsuorien kulujen mittaamisen olevan mahdollista regressioanalyysiä hyödyntäen. Tutkimuksen havainnoista voi olla hyötyä IS:n ja IT:n taloudellisiin aspekteihin keskittyneille IS-tutkijoille. Tutkimuksesta nousee esiin myös kolme käytännön kontribuutiota. Ensimmäinen liittyy siihen, miten BCM-kokonaiskulujen vaikutuksia IT-palveluihin seurataan. Vaikka yhden tapaustutkimuksen tuloksia ei voida yleistää, tutkimuksen havainnot voivat auttaa yrityksiä arvioimaan BCM:n vaikutuksia budjetteihinsa. Toinen käytännön kontribuutio liittyy haasteisiin siinä, kuinka mitata toimenpidekustannuksia, joita on hankala tarkkailla suoraan. Tämän tutkimuksen rajoissa ei ilmennyt mitään syytä sille, etteikö BCM-toimenpiteiden kustannusmallia voitaisi tuotteistaa ja integroida yrityksen muihin kustannusarviotyökaluihin tai etteikö sitä voisi soveltaa muille IT-palvelujen hallinnon alueille. Viimeinen merkittävä käytännön kontribuutio on BCM-toimenpiteiden kustannusmuuttujien määrittely. BCM-ammattilaiset voivat helpommin edistää BCM-prosessia, kun teoreettisten ja empiiristen BCM-kehysten kulujen vastaavuus vahvistetaan

Towards a Comprehensive Evidence-Based Approach For Information Security Value Assessment

This thesis is motivated by the goals of understanding in depth which information security value aspects are relevant in real-world business environments and contributing a value-prioritised information security investment decision model suitable for practitioners in the field. Pursuing this goal, we apply a mixed method research approach that combines the analysis of the relevant literature, expert interviews, practitioner survey data and structural equation modelling and multicriteria decision analysis. In the first step, we address the identified terminology gap to clarify the meaning of ‘cyber security’ by analysing authoritative definition sources in the literature and presenting an improved definition distinct from that of ‘information security’. We then investigate the influence of repeated information security breaches on an organisation’s stock market value to benchmark the wider economic impact of such events. We find abnormal returns following a breach event as well as weak statistical significance on abnormal returns for later breach events, confirming that data breaches have a negative impact on organisations. To understand how security practitioners view this topic, we conduct and analyse semi-structured interviews following a grounded theory approach. Our research identifies 15 principles aligned with a conceptual information security investment framework. The key components of this framework such as the business environment, drivers (threat landscape, legal and regulatory) and challenges (cost of security, uncertainty) are found to be a crucial part of value-prioritised information security investment decisions. We verify these findings through a structural model consisting of five latent variables representing key areas in value-focused information security investment decisions. The model shows that security capabilities have the largest direct effect on the value organisations gain from information security investment. In addition, the value outcome is strongly influenced by organisation-specific constructs such as the threat landscape and regulatory requirements, which must therefore be considered when creating security capabilities. By addressing one of the key uncertainty issues, we use a probabilistic topic modelling approach to identify latent security threat prediction topics from a large pool of security predictions publicised in the media. We further verify the prediction outcomes through a survey instrument. The results confirm the feasibility of forecasting notable threat developments in this context, implying that practitioners can use this approach to reduce uncertainty and improve security investment decisions. In the last part of the thesis, we present a multicriteria decision model that combines our results on value-prioritised information security investments in an organisational context. Based on predefined criteria and preferences and by utilising stochastic multicriteria acceptability analysis as the adopted methodology, our model can deal with substantial uncertainty while offering ease of use for practitioners