MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca

7/29/2019 MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca

1/12

Click to edit Master subtitle style

MIPRO 2012Investment Analysis of Information Security Management in Croatian SeaportsSaa Aksentijevi, Edvard Tijan, Bojan Hlaa


2/12

The Problem

Existing models of Information Security Management Systems in seaports usually involvethreat evaluation, vulnerability management and risk analysis.

Very often all three possible approaches are devoid of economic and financial analysis ofseaport information security investments.

A combined model is required which includes both technical and financial approach toinformation security management and decision-making in Croatian Port CommunitySystems.


3/12

Seaport ISMS Overview

Composed of the following components related in a hierarchical manner:

1. Organizational forms, ensuring alignment with legal requirements

2. Organizational information policy (often formalized by security certification)

3. Computer and network hardware

4. Computer software and solutions

Each of these components is related to capital investments or operative costs.


4/12

Seaport ISMS investment input

parameters

ISMS investments depend on risk assesment as a technicaldiscipline and often lack quantitative financial indicators

High level of substition of ISMS investments that can beconsidered either investments or running costs (cloud computingsolutions, SaaS)

Possibility of vendor lock-in

Difficult determination of ISMS solution residual value after itsuseful life

High probability of lack of internal professional resources


5/12

Variables in economic and financialanalysis of seaport ISMS

investments Initial investment in information solution or project

Cost of maintenance of information security solution

Material cost of operation (electricity, air conditioning) Cost of external solutions and services (example: consultancy)

Cost of employee education during operation Gross equivalent of employee salaries during implementation

Cash flow analysis also includes source of ISMS project financing

and obligations towards those sources (interest). It also includestime value of money.


6/12

Cash flow analysis of seaport ISMS

investments

The following methods can be successfuly used in ISMS cash flow analysis:

1.

Investment time to return (number of years needed to recoverinformation security investment)

2. Method of discounted investment time to return (if time value of moneyhas to be incorporated in analysis)

3. Net present value method

4. Information security solution internal profitability rate

5.

Profitability index


7/12

Usage of internal rate of return (RoR)

in seaport ISMS investments

Discount rate pairing investments with pure cash flows has to be bigger than defineddiscount rate depending on risks and cost of capital. Considerations are the following:

Cannot be used to decide between different investments

Anticipates reinvesting positive net cash flow into project having equal RoR

It is assumed that problem of multiple RoR does not exist

It provides only relative measurement of ISMS investment, not its absolute value

Very sensitive to the project duration, ability of security solution to generate positive cashflow and used discount rate.


8/12

Alternative evaluation methods

Modern Portfolio Theory (MPT), modified to use particulardistribution curve suited to a set of ISMS solutions (projects)

Analytic Hierarchy Process (AHP) method, paying attention tolow levels of Consistency Ratio (CR typically has to be lessthan 10 %)


9/12

Integrated model of seaport ISMS

investment decision-making

Planning of ISMS using only technical criteria does not lead todesirable outcome (devoid of financial impact and criteria)

Planing of seaport ISMS relying on risk analyis may lead to over-or under- investment in solutions

Integrated model includes technical criteria, risk analysis andReturn on Security Investment Calculation


10/12

Methods of evaluation (1/2)

Method of

evaluation

Comp-

lexity

Relia-

bility

Constraints Applicability

Economic

analysis

low low - static

- does not

account for

time value of

money

- high

- immediate

Financial

analysis

med. med. - dynamic

- accounts for

time value of

money

- highlysensitive to

anticipated

discount rate

- high

- immediate


11/12

Methods of evaluation (2/2)

Internal

rate of

return

med. high -dynamic-can bemisguiding

-best usedwith other

profitabilityindicators-may yield

several ratesof return

-cannot beused to

comparedifferent

informationsecurity

projects

- applicable, ifevaluation of

perceived cost

of securityincident can be

obtained

MPT high high -very

complex-requires

determinationof correctdistrubutionand

adaptation ofthe model

- applicable, if

there isavailable

commercialdatabase ofsecurityincident

distribution or ifthe port

community iscollecting itsdata over past

period of time


12/12

Conclusion

Two opposed perspectives have to be joined: techno centric one, insisting on concept oftotal security and financial one, insisting on rational investments resulting in satisfactoryand measurable return. The balance between two perspectives is a key in decisionmaking: the shift of this balance in either way results in the diminished financial

performance of the seaport or the implicit acceptance of too high and unreasonable risklevels.

The basic assumption has to be maintained throughout quantification process, regardless ofthe chosen method: the summary cost of information security implementation has tooutweight the summary loss caused by security incidents.

MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca

Documents

Transcript of MIPRO 2012 Presentation -Aksentijevic Tijan Hlaca