Abstract
According to the PricewaterhouseCoopers analysis, the average cost of a single information security and data protections breaches has increased twice during 2015 (Pricewaterhouse Coopers 2015). Amount of organizations who reported serious breach has also risen (from 9% in 2015 to 17% in 2016) (PricewaterhouseCoopers 2016). To achieve their goals criminals are using different techniques starting from Social engineering (phishing, whaling) and finishing with malware execution (such as ransomware) on target machines. Recent attacks (attack on Central Bank of Bangladesh, fraud attack on Mattel CEO and attack on Thailand state-run Government bank ATM) show, that criminals are very well organized, equipped and spend a lot of money and time to prepare their attacks. To protect themselves organizations are required to ensure security in depth principles and implement complex Security solutions, which are able to ensure the needed level of information security in appropriate costs. However, information security cost-benefits assessment is complicated, because of lack of structured cost-benefit methods and issues with comparing IT security solutions in light of prevailing uncertainties. Existing methods are oriented on processes, environment lifecycles or specific standard implementations. Because of that, existing methods do not cover all needed security areas and methods reusability is a complicated task. Trying to solve this issue, we have proposed a new method for information standards implementation costs evaluation, based on information security controls.
Highlights
Security management and organization assets protection became one of the key points of organization success
Our goal is to identify information security implementation costbenefits evaluation method, which would let us calculate information security implementation costs/benefits, for organizations, which use two or more different security standards
Information security costs were evaluated for two abstract companies ACME and EMCA, that are generally used for such modeling tasks
Summary
Security management and organization assets protection became one of the key points of organization success. According to the technical report (PricewaterhouseCoopers 2015) developed by PricewaterhouseCoopers company, average costs of single information security and data protections breaches have increased twice during the last year. From 600 000 £ in 2014 to 1 460 000 £ in 2015 Such analysis results explain why information security requirements implementation is so important in nowadays. From information security point of view, it is impossible to ensure absolute protection of organization assets or information. Each organization must define needed level of information and assets protection, which would satisfy their risk appetite and implement security management controls, which would ensure such level of protection. Existing security standards and requirements defined in such standards helps to achieve such goal and ensure that organization is implementing due diligence principles
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
