Towards a Multi-objective Optimization Model to Support Information Security Investment Decision-making

The protection of assets, including IT resources, intellectual property and business processes, against security attacks has become a challenging task for organizations. From an economic perspective, firms need to minimize the probability of a successful security incident or attack while staying within the boundaries of their information security budget in order to optimize their investment strategy. In this paper, an optimization model to support information security investment decision-making in organizations is proposed considering the two convicting objectives (simultaneously minimizing the costs of countermeasures while maximizing the security level). Decision models that support the firms’ decisions considering the trade-off between the security level and the investment allocation are beneficial for organizations to facilitate and justify security investment choices

A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory

The protection of information technology (IT) has become and is predicted to remain a key economic challenge for organizations. While research on IT security investment is fast growing, it lacks a theoretical basis for structuring research, explaining economic-technological phenomena and guide future research. We address this shortcoming by suggesting a new theoretical model emerging from a multi-theoretical perspective adopting the Resource-Based View and the Organizational Learning Theory. The joint application of these theories allows to conceptualize in one theoretical model the organizational learning effects that occur when the protection of organizational resources through IT security countermeasures develops over time. We use this model of IT security investments to synthesize findings of a large body of literature and to derive research gaps. We also discuss managerial implications of (closing) these gaps by providing practical examples

Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms’ investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis

Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory

Nowadays, providing employees with failure-free access to various systems, applications and services is a crucial factor for organizations’ success as disturbances potentially inhibit smooth workflows and thereby harm productivity. However, it is a challenging task to assign access rights to employees’ accounts within a satisfying time frame. In addition, the management of multiple accounts and identities can be very onerous and time consuming for the responsible administrator and therefore expensive for the organization. In order to meet these challenges, firms decide to invest in introducing an Identity and Access Management System (IAMS) that supports the organization by using policies to assign permissions to accounts, groups, and roles. In practice, since various versions of IAMSs exist, it is a challenging task to decide upon introduction of an IAMS. The following study proposes a first attempt of a decision support model for practitioners which considers four alternatives: Introduction of an IAMS with Role-based Access Control RBAC) or without and no introduction of IAMS again with or without RBAC. To underpin the practical applicability of the proposed model, we parametrize and operationalize it based on a real world use case using input from an expert interview

Classifying malware attacks in IaaS cloud environments

In the last few years, research has been motivated to provide a categorization and classification of security concerns accompanying the growing adaptation of Infrastructure as a Service (IaaS) clouds. Studies have been motivated by the risks, threats and vulnerabilities imposed by the components within the environment and have provided general classifications of related attacks, as well as the respective detection and mitigation mechanisms. Virtual Machine Introspection (VMI) has been proven to be an effective tool for malware detection and analysis in virtualized environments. In this paper, we classify attacks in IaaS cloud that can be investigated using VMI-based mechanisms. This infers a special focus on attacks that directly involve Virtual Machines (VMs) deployed in an IaaS cloud. Our classification methodology takes into consideration the source, target, and direction of the attacks. As each actor in a cloud environment can be both source and target of attacks, the classification provides any cloud actor the necessary knowledge of the different attacks by which it can threaten or be threatened, and consequently deploy adapted VMI-based monitoring architectures. To highlight the relevance of attacks, we provide a statistical analysis of the reported vulnerabilities exploited by the classified attacks and their financial impact on actual business processes

A LITERATURE REVIEW ON SMARTPHONE SECURITY IN ORGANIZATIONS USING A NEW THEORETICAL MODEL – THE DYNAMIC SECURITY SUCCESS MODEL

Smartphones have become an important part of organizational IT infrastructures including benefits such as increased productivity as well as IT security risks. These risks are mainly related to unauthorized access to corporate data. Integrating smartphones in organizations regarding security involves a sequence of decisions, ranging from the integration approach (smartphones owned by employees or by the organization) to specific security measures implemented on the devices. This is an ongoing process making constant adaption necessary due to progressive development of hard- and software and due to new security risks arising. We propose the Dynamic Security Success Model (DSSM) – a combination of the DeLone & McLean Information Systems Success Model and Argyris’ Organizational Learning Theory. This theoretical foundation combines the individual and the organizational impact of smartphone security measures with the learning perspective, allowing a company to respond to the ever changing security requirements of smartphones in organizations. Based on the DSSM, existing literature is reviewed and research gaps are derived for future work

IT Security Investments Through the Lens of the Resource-Based View: A new Theoretical Model and Literature Review

IT security has become a major issue for organizations as they need to protect their assets, including IT resources, intellectual property and business processes, against security attacks. Disruptions of IT-based business activities can easily lead to economic damage, such as loss of productivity, revenue and reputation. \ \ Organizations need to decide (1) which assets need which level of protection, (2) which technical,managerial and organizational security countermeasures lead to this protection and (3) how much should be spent on which countermeasure in the presence of budget constraints. Answering these questions requires both making IT security investment decisions and evaluating the effectiveness and efficiency of these decisions. \ \ The literature has contributed to this field adopting approaches from micro-economics, finance and management, among others. However, the literature is rather fragmented and lacks a shared theoretical basis. As a consequence, it remains partly open what we can learn from past research and how we can \ direct and stimulate still missing research activities. \ \ In order to address these deficiencies, we draw on the resource-based view (RBV) and provide a theoretical model for IT security investments. We use this RBV model to review the IT security investment literature and to identify research gaps

QoS-Aware Secure Live Migration of Virtual Machines

The live migration of Virtual Machines (VMs) is a key technology in server virtualization solutions used to deploy Infrastructure-as-a-Service (IaaS) clouds. This process, on one hand, increases the elasticity, fault tolerance, and maintainability in the virtual environment. On the other hand, it increases the security challenges in cloud environments, especially when the migration is performed between different data centers. Secure live migration mechanisms are required to keep the security requirements of both cloud customers and providers satisfied. These mechanisms are known to increase the migration downtime of the VMs, which plays a significant role in the compliance to Service Level Agreements (SLAs). This paper discusses the main threats caused by live migration and the main approaches for securing the migration. The requirements of a comprehensive Quality of Service (QoS)-aware secure live migration solution that keeps both security and QoS requirements satisfied are defined

CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

Due to the proliferation of cloud computing, cloud-based systems are becoming an increasingly attractive target for malware. In an Infrastructure-as-a-Service (IaaS) cloud, malware located in a customer’s virtual machine (VM) affects not only this customer, but may also attack the cloud infrastructure and other co-hosted customers directly. This paper presents CloudIDEA, an architecture that provides a security service for malware defens in cloud environments. It combines lightweight intrusion monitoring with on-demand isolation, evidence collection, and in-depth analysis of VMs on dedicated analysis hosts. A dynamic decision engine makes on-demand decisions on how to handle suspicious events considering cost-efficiency and quality-of-service constraints