search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies

Technical Note
By
In this 2004 report, the authors describe a cost/benefit analysis for estimations in small companies' information security improvement projects.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2004-TN-045
DOI (Digital Object Identifier)
10.1184/R1/6584309.v1
Subjects

Abstract

Many companies rely on historical data to build predictability models for cost/benefit justification of future projects. Unfortunately, for small companies, which generally do not have a process for collecting security data, the costs and the benefits of information security improvement projects have been very difficult to estimate and justify. In addition, detailed attack data are simply not available to be used as references in cost estimations. Given these difficulties, many small companies choose to ignore entirely the security vulnerabilities in their systems, and many suffer the consequences of security breaches and significant financial loss. Small companies that do implement security improvement projects often have problems understanding the cost structures of their improvement initiatives and how to translate risk exposures into costs that can be passed on to their customers. 

To deal with the aforementioned problems, this report describes a general framework for hierarchical cost/benefit analysis aimed at providing acceptable estimations for small companies in their information security improvement projects. The framework classifies misuse cases into categories of threats for which nationally surveyed risks and financial data are publicly available. For each category of threats, costs, benefits, baseline risks, and residual risks are estimated. The framework then generates all permutations of possible solutions and analyzes the most optimal approach to maximize the value of security improvement projects. The framework analyzes the problems from five dimensions: Total Implementation Costs, Total System Value, Net Project Value, Benefit/Cost Ratio, and Risk Exposures. The final proposed system will be derived from the comparisons of these dimensions, taking into consideration each company's specific situation. 

This report is one of a series of reports resulting from research conducted by the System Quality Requirements Engineering (SQUARE) Team as part of an independent research and development project of the Software Engineering Institute.

SHARE
Download PDF
Cite This Technical Note

Xie, N., Mead, N., Chen, P., Dean, M., Lopez, L., Ojoko-Adams, D., & Osman, H. (2004, November 1). SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies. (Technical Note CMU/SEI-2004-TN-045). Retrieved April 16, 2024, from https://doi.org/10.1184/R1/6584309.v1.

@techreport{xie_2004,
author={Xie, Nick and Mead, Nancy and Chen, Peter and Dean, Marjon and Lopez, Lilian and Ojoko-Adams, Don and Osman, Hassan},
title={SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies},
month={Nov},
year={2004},
number={CMU/SEI-2004-TN-045},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6584309.v1},
note={Accessed: 2024-Apr-16}
}

Xie, Nick, Nancy Mead, Peter Chen, Marjon Dean, Lilian Lopez, Don Ojoko-Adams, and Hassan Osman. "SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies." (CMU/SEI-2004-TN-045). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, November 1, 2004. https://doi.org/10.1184/R1/6584309.v1.

N. Xie, N. Mead, P. Chen, M. Dean, L. Lopez, D. Ojoko-Adams, and H. Osman, "SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2004-TN-045, 1-Nov-2004 [Online]. Available: https://doi.org/10.1184/R1/6584309.v1. [Accessed: 16-Apr-2024].

Xie, Nick, Nancy Mead, Peter Chen, Marjon Dean, Lilian Lopez, Don Ojoko-Adams, and Hassan Osman. "SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies." (Technical Note CMU/SEI-2004-TN-045). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Nov. 2004. https://doi.org/10.1184/R1/6584309.v1. Accessed 16 Apr. 2024.

Xie, Nick; Mead, Nancy; Chen, Peter; Dean, Marjon; Lopez, Lilian; Ojoko-Adams, Don; & Osman, Hassan. SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies. CMU/SEI-2004-TN-045. Software Engineering Institute. 2004. https://doi.org/10.1184/R1/6584309.v1

Ask a question about this Technical Note