Академический Документы
Профессиональный Документы
Культура Документы
Click to Analysis of Information Investmentedit Master subtitle style Security Management in Croatian Seaports Saa Aksentijevi, Edvard Tijan, Bojan Hlaa
The Problem
Existing models of Information Security Management Systems in seaports usually involve threat evaluation, vulnerability management and risk analysis. Very often all three possible approaches are devoid of economic and financial analysis of seaport information security investments. A combined model is required which includes both technical and financial approach to information security management and decision-making in Croatian Port Community Systems.
Organizational forms, ensuring alignment with legal requirements Organizational information policy (often formalized by security certification) Computer and network hardware Computer software and solutions
ISMS investments depend on risk assesment as a technical discipline and often lack quantitative financial indicators High level of substition of ISMS investments that can be considered either investments or running costs (cloud computing solutions, SaaS) Possibility of vendor lock-in Difficult determination of ISMS solution residual value after its useful life High probability of lack of internal professional resources
Initial investment in information solution or project Cost of maintenance of information security solution Material cost of operation (electricity, air conditioning) Cost of external solutions and services (example: consultancy) Cost of employee education during operation Gross equivalent of employee salaries during implementation
Cash flow analysis also includes source of ISMS project financing and obligations towards those sources (interest). It also includes time value of money.
2.
3. 4. 5.
Investment time to return (number of years needed to recover information security investment) Method of discounted investment time to return (if time value of money has to be incorporated in analysis) Net present value method Information security solution internal profitability rate Profitability index
Cannot be used to decide between different investments Anticipates reinvesting positive net cash flow into project having equal RoR It is assumed that problem of multiple RoR does not exist It provides only relative measurement of ISMS investment, not its absolute value
Very sensitive to the project duration, ability of security solution to generate positive cash flow and used discount rate.
Modern Portfolio Theory (MPT), modified to use particular distribution curve suited to a set of ISMS solutions (projects) Analytic Hierarchy Process (AHP) method, paying attention to low levels of Consistency Ratio (CR typically has to be less than 10 %)
Planning of ISMS using only technical criteria does not lead to desirable outcome (devoid of financial impact and criteria) Planing of seaport ISMS relying on risk analyis may lead to overor under- investment in solutions Integrated model includes technical criteria, risk analysis and Return on Security Investment Calculation
Financial analysis
med.
med.
- high - immediate
MPT
high
high
- applicable, if there is available commercial database of security incident distribution or if the port community is collecting its data over past period of time
Conclusion
Two opposed perspectives have to be joined: techno centric one, insisting on concept of total security and financial one, insisting on rational investments resulting in satisfactory and measurable return. The balance between two perspectives is a key in decision making: the shift of this balance in either way results in the diminished financial performance of the seaport or the implicit acceptance of too high and unreasonable risk levels. The basic assumption has to be maintained throughout quantification process, regardless of the chosen method: the summary cost of information security implementation has to outweight the summary loss caused by security incidents.