To invest or not to invest? assessing the economic viability of a policy and security configuration management tool

Abstract

The threat of information security (IS) breaches is omnipresent. Large organizations such as Sony or Lockheed Martin were recently attacked and lost confidential customer information. Besides targeted attacks, virus and malware infections, lost or stolen laptops and mobile devices, or the abuse of the organizational IT through employees, to name but a few, also put the security of assets in jeopardy. To defend against IS threats, organizations invest in IS countermeasures preventing, or, at least, reducing the probability and the impact of IS breaches. As IS budgets are constrained and the number of assets to be protected is large, IS investments need to be deliberately evaluated. Several approaches for the evaluation of IS investments are presented in the literature. In this chapter, we identify, compare, and evaluate such approaches using the example of a policy and security configuration management tool. Such a tool is expected to reduce the costs of organizational policy and security configuration management and to increase the trustworthiness of organizations. It was found that none of the analyzed approaches can be used without reservation for the assessment of the economic viability of the policy and security configuration management tool used as an example. We see, however, considerable potential for new approaches combining different elements of existing approaches.