MIPRO 2012

Click to Analysis of Information Investmentedit Master subtitle style Security Management in Croatian Seaports Saa Aksentijevi, Edvard Tijan, Bojan Hlaa

The Problem
Existing models of Information Security Management Systems in seaports usually involve threat evaluation, vulnerability management and risk analysis. Very often all three possible approaches are devoid of economic and financial analysis of seaport information security investments. A combined model is required which includes both technical and financial approach to information security management and decision-making in Croatian Port Community Systems.

Seaport ISMS Overview

Composed of the following components related in a hierarchical manner:
1. 2. 3. 4.

Organizational forms, ensuring alignment with legal requirements Organizational information policy (often formalized by security certification) Computer and network hardware Computer software and solutions

Each of these components is related to capital investments or operative costs.

Seaport ISMS investment input parameters

ISMS investments depend on risk assesment as a technical discipline and often lack quantitative financial indicators High level of substition of ISMS investments that can be considered either investments or running costs (cloud computing solutions, SaaS) Possibility of vendor lock-in Difficult determination of ISMS solution residual value after its useful life High probability of lack of internal professional resources

Variables in economic and financial analysis of seaport ISMS investments

Initial investment in information solution or project Cost of maintenance of information security solution Material cost of operation (electricity, air conditioning) Cost of external solutions and services (example: consultancy) Cost of employee education during operation Gross equivalent of employee salaries during implementation

Cash flow analysis also includes source of ISMS project financing and obligations towards those sources (interest). It also includes time value of money.

Cash flow analysis of seaport ISMS investments

The following methods can be successfuly used in ISMS cash flow analysis:
1.

2.

3. 4. 5.

Investment time to return (number of years needed to recover information security investment) Method of discounted investment time to return (if time value of money has to be incorporated in analysis) Net present value method Information security solution internal profitability rate Profitability index

Usage of internal rate of return (RoR) in seaport ISMS investments

Discount rate pairing investments with pure cash flows has to be bigger than defined discount rate depending on risks and cost of capital. Considerations are the following:

Cannot be used to decide between different investments Anticipates reinvesting positive net cash flow into project having equal RoR It is assumed that problem of multiple RoR does not exist It provides only relative measurement of ISMS investment, not its absolute value

Very sensitive to the project duration, ability of security solution to generate positive cash flow and used discount rate.

Alternative evaluation methods

Modern Portfolio Theory (MPT), modified to use particular distribution curve suited to a set of ISMS solutions (projects) Analytic Hierarchy Process (AHP) method, paying attention to low levels of Consistency Ratio (CR typically has to be less than 10 %)

Integrated model of seaport ISMS investment decision-making

Planning of ISMS using only technical criteria does not lead to desirable outcome (devoid of financial impact and criteria) Planing of seaport ISMS relying on risk analyis may lead to overor under- investment in solutions Integrated model includes technical criteria, risk analysis and Return on Security Investment Calculation

Methods of evaluation (1/2)

Method of evaluation Economic analysis Complexity low Reliability low Constraints - static - does not account for time value of money - dynamic - accounts for time value of money - highly sensitive to anticipated discount rate Applicability - high - immediate

Financial analysis

med.

med.

- high - immediate

Methods of evaluation (2/2)

Internal rate of return med. high -dynamic -can be misguiding -best used with other profitability indicators -may yield several rates of return -cannot be used to compare different information security projects -very complex -requires determination of correct distrubution and adaptation of the model - applicable, if evaluation of perceived cost of security incident can be obtained

MPT

high

high

- applicable, if there is available commercial database of security incident distribution or if the port community is collecting its data over past period of time

Conclusion
Two opposed perspectives have to be joined: techno centric one, insisting on concept of total security and financial one, insisting on rational investments resulting in satisfactory and measurable return. The balance between two perspectives is a key in decision making: the shift of this balance in either way results in the diminished financial performance of the seaport or the implicit acceptance of too high and unreasonable risk levels. The basic assumption has to be maintained throughout quantification process, regardless of the chosen method: the summary cost of information security implementation has to outweight the summary loss caused by security incidents.