Information Security Risk Management: In which Security Solutions is it worth Investing?

Information Security Risk Management: In which Security Solutions is it worth Investing?: As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues.Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. We defined a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.


Introduction: “As almost every business decision is based on data, reliable information technology (IT) is a prerequisite for business continuity and therefore crucial for the entire economy [Gerber and von Solms, 2004; Commission of the European Communities, 2006]. The importance of information technology brought with it the urgent need to ensure its continuous and reliable operation and to protect the processed and stored information. Recent research has shown the impact of security breaches on the market value of organizations. Organizations lost an average of approximately 2.1% of their market value within two days surrounding security breaches [Cavusoglu et al., 2004a]. The interconnectedness of the global economic system enables information security threats such as computer viruses to proliferate with great speed. Even though the connection of almost every organization to the Internet and the spread of computer viruses represent only two vulnerabilities and potential information security risks for organizations, they still illustrate the changes in the threat environment over the last decades (cf. [Bagchi and Udo, 2003]) and the reasons why organizations should strive to manage these risks adequately. In general terms, risk is defined as the probability per unit time of the occurrence of a unit cost burden [Sage and White, 1980]. In the information security context, risk is defined as a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization [Stoneburner et al., 2002]. As the security measures necessary to lower the risk are almost always associated with costs, organizations seek measures that are capable of reducing the risk to an acceptable level at the lowest possible cost. Information security risk management addresses exactly these issues and was defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-30 as the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions [Stoneburner et al., 2002]. Information security risk management is a crucial element in ensuring long-term business success. Experts have proposed numerous approaches to implementing an adequate information security risk management strategy.

Regardless of which information security risk management methodology is considered, it always includes the assessment of business-critical assets of potential threats, vulnerabilities, and measures that can reduce the risk to an acceptable level [Baskerville, 1993]. While in-depth knowledge of the organization in question and the information security domain as a whole is fundamental to the presented approaches [Jung et al., 1999], only little research has been conducted on the formal knowledge representation of the domains that are relevant to information security risk management (cf. [Schumacher, 2003; Kim et al., 2005; Herzog et al., 2007]). Recent studies (e.g., [Straub and Welke, 1998]) have shown that the lack of information security knowledge at the management level is one reason for inadequate or nonexistent information security risk management strategies, and that raising the management’s level of information security awareness and knowledge leads to more effective strategies. Smith and Spafford [2004] and PITAC [2005] identified information security risk management as one of the top ten grand challenges in information technology security and called for sound theories and methods to support and improve existing information security risk management approaches. In 2006, the European Network and Information Security Agency (ENISA) addressed these issues (cf. [ENISA, 2006]) and rated the establishment of unified information bases for information security risk management and the development of risk measurement methods as high priority issues. Only a short time later, Aime et al. [2007] confirmed the lack of a set of well-defined formal models for supporting the information security risk management process. Only 48% of 1,007 interviewed UK organizations formally assess information security risks (2008 Information Security Breaches Survey [BERR, 2008]). To date such organizations have mostly relied on best practice guidelines, information security standards, and/or domain experts to conduct the risk assessment and mitigation phases.

However, these approaches have several problems:

  • domain expert dependence: best practice guidelines provide excellent knowledge about potential threats, vulnerabilities, and controls, but without an information security domain expert, the organization is not always able to consider the numerous complex relationships between all the relevant information security concepts. The result is a non-holistic information security approach, which endangers the performance of the organization’s mission [Vitale, 1986; Bandyopadhyay and Mykytyn, 1999; Jung et al., 1999; Baker and Wallace, 2007]
  • manual threat – infrastructure mapping: to identify concrete infrastructure elements that are endangered by certain threats, the organization has to manually match the knowledge gained from best practice guidelines to their actual infrastructure [Baskerville, 1993]
  • abstract implementation suggestions: information security standards frequently only include very abstract implementation suggestions for risk mitigation. Usually there are few or no concrete suggestions for controls, leading to inefficient risk mitigation strategies [Baker et al., 2007]
  • subjective threat probability determination: the determination of threat probabilities is predominantly based on subjective perceptions and not on an objective evaluation [Frosdick, 1997; Bandyopadhyay and Mykytyn, 1999; Baker et al., 2007]
  • unquantifiable IT security solution effectiveness: while companies strive for cost-conscious solutions, they are frequently unaware of their volume of investment in IT security and/or, even more importantly, whether these investments are effective [Ittner and Larcker, 2003; Smith and Spafford, 2004]
  • no interactive decision support: management decision makers, such as the CPO or CIO, have to cope with the task of selecting the most appropriate set of IT security investments from a great spectrum of potential IT security investments. The results of existing methods provide decision makers with inadequate or little intuitive and/or interactive decision support and, as a result, do not support them in identifying an appropriate risk versus cost trade-off when investing in IT security solutions [Lander and Pinches, 1998].”


Background: “Risk management in the context of information technology is not a new research domain. It was 1975 when the U.S. National Bureau of Standards proposed the Annual Loss Expectancy (ALE) as a metric for measuring computer-related risks [FIPS 1975]. ALE is calculated by summing up the products of impact and frequency of harmful outcomes. One shortcoming of this early approach is the fact that it does not distinguish between highly frequent, low impact events and rare, high impact events. In the 1980s it was again the U.S. National Bureau of Standards that advanced efforts in the information security risk management domain [Soo Hoo, 2000]. In a series of workshops they developed an iterative process for information security risk management that consists of the following steps: identification of the requirements (asset values, threats, vulnerabilities, existing controls, etc.), analysis of threats, vulnerabilities, and the scenario, risk measurement, acceptance test, and control selection and implementation [Soo Hoo, 2000]. Although the information security risk management approaches of the following years provided some additional steps or different process structures, they are mainly based on this approach developed in the 1980s. A combination of qualitative and quantitative risk analysis methodologies was proposed by Rainer et al. [1991]. It consists of the following steps: identification of organizational value activities, identification of the IT component of each value activity, identification of linkages among value activities and the IT components that support each of them, determination of IT assets that support interorganizational linkages, determination of the value of IT assets, identification of possible threats, identification of the vulnerability of assets to threats, and determination of the overall IT risk exposure. The security risk planning model by Straub and Welke [1998] includes the recognition of security problems, risk analysis (threat identification and risk prioritization), alternatives generation (generation of solutions that can mitigate the risk), decisions (selection and prioritization of security projects), and implementation. Besides general risk management frameworks, a number of information security investment decision support methods, which are an integral part of several information security risk management methodologies, have been proposed (cf. Finne, 1998a; Finne, 1998b; Gordon and Loeb, 2002; Arora et al., 2004; Cavusoglu et al., 2004b]). In 2008, the PCR (perceived composite risk) metric was introduced by Bodin et al. [2008]. Their approach extends the traditional ALE by combining it with the expected severe loss and the standard deviation of the loss, and provides organizations with an additional decision support tool for information security investments. To make these academic approaches usable to organizations, some of them were used as a foundation for today’s information security risk management methods, standards, and best practice guidelines (e.g., CRAMM [Farquhar, 1991], NIST SP 800-30 [Stoneburner et al., 2002], CORAS [Fredriksen et al., 2002], OCTAVE [Alberts et al., 2003], EBIOS [DCSSI, 2004], and recently ISO 27005 [ISO/IEC, 2007]).”



Aime, M., A. Atzeni, and P. Pomi (2007) “AMBRA: automated model-based risk analysis”, QoP ’07: Proceedings of the 2007 ACM workshop on Quality of protection, New York, NY: ACM, pp. 43-48.
Alberts, C., A. Dorofee, J. Stevens, and C. Woody (2003) Introduction to the OCTAVE approach, Technical report, Pittsburgh, PA: Carnegie Mellon – Software Engineering Institute.
Arora, A., D. Hall, C. Pinto, D. Ramsey, and R. Telang (2004) “Measuring the risk-based value of it security solutions”, IT Pro (6), pp. 35-42.
Avizienis, A., J.-C. Laprie, B. Randell, and C. Landwehr (2004)” Basic concepts and taxonomy of dependable and secure computing”, IEEE Transactions on Dependable and Secure Computing (1), pp. 11-33.
Bagchi, K. and G. Udo (2003) “An analysis of the growth of computer and internet security breaches”, Communications of the Association for Information Systems (12), pp. 684-700.
Baker, W., L. Rees, and P. Tippett (2007) “Necessary measures: metric-driven information security risk assessment and decision making”, Communications of the ACM (50), pp. 101-106.
Baker, W. and L. Wallace (2007) “Is information security under control?: Investigating quality in information security management”, IEEE Security and Privacy (5), Piscataway, NJ: IEEE Educational Activities Department, pp. 36-44.
Bandyopadhyay, K. and P. Mykytyn (1999) “A framework for integrated risk management in information technology”, Management Decision ( 37), pp. 437-444.
Baskerville, R. (1993) “Information systems security design methods: Implications for information systems development”, ACM Computing Surveys (25), pp. 375-414.
BERR (2008) 2008 information security breaches survey, Technical report, Department for Business Enterprise and Regulatory Reform (BERR).
BJA, B. (2008) “Center for program evaluation – Glossary”, http://www.ojp.usdoj.gov/BJA/evaluation/glossary/ (current Jan 30, 2011).
Bodin, L., L. Gordon, and M. Loeb (2008) “Information security and risk management”, Communications of the ACM (51), pp. 64-68.
BSI (2004) ”IT Grundschutz Manual”, https://www.bsi.bund.de/ContentBSI/grundschutz/grundschutz.html (current Jan 30, 2011).
Burtles, J. (2007) Principles and Practice of Business Continuity: Tools and Techniques, Rothstein Associates Inc.
Cavusoglu, H., B. Mishra, and S. Raghunathan (2004a) “The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers”, International Journal of Electronic Commerce (9), pp. 69-104.
Cavusoglu, H., B. Mishra, and S. Raghunathan (2004b) “A model for evaluating IT security investments”, Communications of the ACM (47), pp. 87-92.
Commission of the European Communities (2006) Communication from the Commission to the Council, The European Parliament, The European Economic and Social Committee and the Committee of the Regions:’A strategy for a Secure Information Society – Dialogue, partnership and empowerment, COM(2006) 251 final.
DCSSI (2004) Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS) – Section 2 – Approach, General Secretariat of National Defence Central Information Systems Security Division (DCSSI).
ENISA (2006) Risk management: implementation principles and inventories for risk management/ risk assessment methods and tools, Technical report, European Network and Information Security Agency.
Farquhar, B. (1991) “One approach to risk assessment”, Computers and Security (10), pp. 21-23.
Fenz, S. and A. Ekelhart (2009) “Formalizing information security knowledge” Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security, pp. 183-194.
Fenz, S., A. Ekelhart, and T. Neubauer (2009) “Business process-based resource importance determination”, Proceedings of the 7th International Conference on Business Process Management (BPM’2009), Springer Berlin Heidelberg, Lecture Notes in Computer Science, Volume 5701, pp. 113-127.
Fenz, S. and T. Neubauer (2009) “How to determine threat probabilities using ontologies and Bayesian networks”, CSIIRW ’09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, ACM.
Fenz, S., A. Tjoa, and M. Hudec (2009) “Ontology-based generation of Bayesian networks”, International Conference on Complex, Intelligent and Software Intensive Systems, 2009. CISIS ’09., IEEE Computer Society, pp. 712-717.
Finne, T. (1998a) “A conceptual framework for information security management”, Computers & Security (17), pp. 303-307.
Finne, T. (1998b) “The three categories of decision-making and information security”, Computers & Security (17), pp. 397-405.
FIPS (1975) Guideline for automatic data processing risk analysis, Federal Information Processing Standards Publications (FIPS PUB) 65, National Bureau of Standards.
Fredriksen, R., M. Kristiansen, B. A. Gran, K. Stolen, T.A. Opperud, and T. Dimitrakos, (2002) “The Coras framework for a model-based risk management process”, SAFECOMP’02: Proceedings of the 21st International Conference on Computer Safety, Reliability and Security, London:Springer-Verlag, pp. 94-105.
Frosdick, S. (1997) “The techniques of risk analysis are insufficient in themselves”, Disaster Prevention and Management (6), pp. 165-177.
Gerber, M. and R. von Solms (2004) “Management of risk in the information age”, Computers & Security (24), pp. 16-30.
Gómez-Pérez, A., M. Fernández-López, and O. Corcho (2004) Ontological engineering, Springer Heidelberg.
Gordon, L. and M. Loeb (2002) “The economics of information security investment”, ACM Transactions on Information and System Security (5), pp. 438-457.
Herzog, A., N. Shahmehri, and C. Duma (2007) “An ontology of information security”, International Journal of Information Security and Privacy (1), pp. 1-23.
ISO/IEC (2005) ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.
ISO/IEC (2007) ISO/IEC 27005:2007, Information technology – Security techniques – Information security risk management.
Ittner, C. D. and D. F. Larcker (2003) “Coming up short on nonfinancial performance measurement.”, Harvard Business Review (81), Philadelphia, PA: Wharton School, University of Pennsylvania. http://view.ncbi.nlm.nih.gov/pubmed/14619154 (current Jan 30, 2011).
Järvinen, P. (2000) “Research questions guiding selection of an appropriate research method”, Proceedings of the 8th European Conference on Information Systems, Trends in Information and Communication Systems for the 21st Century, ECIS 2000, Vienna, Austria, July 3-5, 2000, pp. 124-131.
Jung, C., I. Han, and B. Suh (1999) “Risk analysis for electronic commerce using case-based reasoning”, International Journal of Intelligent Systems in Accounting, Finance & Management (8), pp. 61-73.
Kairab, S. and L. Kelly (2004) A Practical Guide to Security Assessments, Boston, MA: Auerbach Publications.
Kim, A., J. Luo, and M. Kang (2005) “Security ontology for annotating resources”, OTM Conferences (2), pp. 1483-1499.
Lander, D. M. and G. E. Pinches (1998) “Challenges to the practical implementation of modeling and valuing real options”, The Quarterly Review of Economics and Finance (38), pp. 537-567. http://ideas.repec.org/a/eee/quaeco/v38y1998i3p537-567.html (current Jan 30, 2011).
Neubauer, T. and C. Stummer (2007) “Extending business process management to determine efficient IT investments”, Proceedings of the 2007 ACM Symposium on Applied Computing (SAC ’07), pp. 1250-1256.
NIST (1995) An Introduction to Computer Security – The NIST Handbook, Technical report, NIST (National Institute of Standards and Technology). Special Publication 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf (current Jan 30, 2011).
Peltier, T. R. (2005) Information Security Risk Analysis, 2nd edition, Boston, MA: Auerbach Publications.
PITAC (2005) Cyber Security: A Crisis of Prioritization: Report to the President, Technical report, President’s Information Technology Advisory Committee.
Rainer, R., C. Snyder, and H. Carr (1991) “Risk analysis for information technology”, Journal of Management Information Systems (8), pp. 129-147.
Ryan, S. D. and M. S. Gates (2004) “Inclusion of social sub-system issues in it-investment decisions: An empirical assessment”, Information Resources Management Journal (17), pp. 1-18.
Sage, A. and E. White (1980) “Methodologies for risk and hazard assessment: A survey and status report”, IEEE Transactions on Systems, Man, and Cybernetics (SMC-10), pp. 425-446.
Schumacher, M. (2003) Security Engineering with Patterns – Origins, Theoretical Model, and New Applications, Springer.
Smith, S. and E. Spafford (2004) “Grand challenges in information security: Process and output”, IEEE Security & Privacy (2), pp. 69-71.
Soo Hoo, K. (2000) How much is enough? A risk management approach to computer security, PhD thesis, Stanford University.
Stallinger, M. (2007) IT-Governance im Kontext Risikomanagement, PhD thesis, Johannes Kepler Universität Linz.
Stoneburner, G., Goguen, A. and Feringa, A. (2002) Risk management guide for information technology systems, NIST Special Publication 800-30, Gaithersburg, MD: National Institute of Standards and Technology (NIST).
Straub, D. and R. Welke (1998) “Coping with systems risk: Security planning models for management decision making”, MIS Quarterly (22), pp. 441-469.
Vitale, M. (1986) “The growing risks of information systems success”, MIS Quarterly (10), pp. 327-334.
W3C (2004) “OWL – web ontology language”. http://www.w3.org/TR/owl-features/ (current Jan 30, 2011).



Fenz, Stefan; Ekelhart, Andreas; and Neubauer, Thomas (2011) “Information Security Risk Management: In Which Security Solutions Is It Worth Investing?,” Communications of the Association for Information Systems: Vol. 28, Article 22.