Advanced Search

Content Type

Topics

Publication Date

SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies

Abstract

Many companies rely on historical data to build predictability models for cost/benefit justification of future projects. Unfortunately, for small companies, which generally do not have a process for collecting security data, the costs and the benefits of information security improvement projects have been very difficult to estimate and justify. In addition, detailed attack data are simply not available to be used as references in cost estimations. Given these difficulties, many small companies choose to ignore entirely the security vulnerabilities in their systems, and many suffer the consequences of security breaches and significant financial loss. Small companies that do implement security improvement projects often have problems understanding the cost structures of their improvement initiatives and how to translate risk exposures into costs that can be passed on to their customers. 

To deal with the aforementioned problems, this report describes a general framework for hierarchical cost/benefit analysis aimed at providing acceptable estimations for small companies in their information security improvement projects. The framework classifies misuse cases into categories of threats for which nationally surveyed risks and financial data are publicly available. For each category of threats, costs, benefits, baseline risks, and residual risks are estimated. The framework then generates all permutations of possible solutions and analyzes the most optimal approach to maximize the value of security improvement projects. The framework analyzes the problems from five dimensions: Total Implementation Costs, Total System Value, Net Project Value, Benefit/Cost Ratio, and Risk Exposures. The final proposed system will be derived from the comparisons of these dimensions, taking into consideration each company's specific situation. 

This report is one of a series of reports resulting from research conducted by the System Quality Requirements Engineering (SQUARE) Team as part of an independent research and development project of the Software Engineering Institute.

Cite This Report

Show Citation Formats

SEI

Xie, Nick; Mead, Nancy; Chen, Peter; Dean, Marjon; Lopez, Lilian; Ojoko-Adams, Don; & Osman, Hassan. SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies (CMU/SEI-2004-TN-045). Software Engineering Institute, Carnegie Mellon University, 2004. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=7013

IEEE

Xie. Nick, Mead. Nancy, Chen. Peter, Dean. Marjon, Lopez. Lilian, Ojoko-Adams. Don, and Osman. Hassan, "SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2004-TN-045, 2004. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=7013

APA

Xie, Nick., Mead, Nancy., Chen, Peter., Dean, Marjon., Lopez, Lilian., Ojoko-Adams, Don., & Osman, Hassan. (2004). SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies (CMU/SEI-2004-TN-045). Retrieved October 02, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=7013

CHI

Nick Xie, Nancy Mead, Peter Chen, Marjon Dean, Lilian Lopez, Don Ojoko-Adams, & Hassan Osman. SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies (CMU/SEI-2004-TN-045). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2004. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=7013

MLA

Xie, Nick., Mead, Nancy., Chen, Peter., Dean, Marjon., Lopez, Lilian., Ojoko-Adams, Don., & Osman, Hassan. 2004. SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies (Technical Report CMU/SEI-2004-TN-045). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=7013