Using time-driven activity-based costing to manage digital forensic readiness in large organisations
A digital forensic readiness (DFR) programme consists of a number of activities that should be chosen and managed with respect to cost constraints and risk. Traditional cost systems, however, can not provide the cost of individual activities. This makes it difficult or impossible for organisations to consider cost when making decisions about specific activities. In this paper we show that the relatively new cost system, time-driven activity-based costing (TDABC), can be used to determine the cost of implementing and managing activities required for DFR. We show through analysis and simulation that the cost information from a TDABC model can be used for such decisions. We also discuss some of the factors that ought to be considered when implementing or managing the use of TDABC in a large organisation.
KeywordsDigital forensic readiness Time-driven activity-based costing Forensics management Cost management
- Accenture, How Global Organizations Approach the Challenge of Protecting Personal Data (2009). Available at https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx.
- Bain, L. J., & Engelhardt, M. (1992). Introduction to probability and mathematical statistics (2nd ed., p. 115). Boston: PWS-KENT Publishing Company.Google Scholar
- Beekman, J. (2007). Activity-based costing of IT. In Proc IEEE International Conference on Exploring Quantifiable IT Yields, Amsterdam, Netherlands.Google Scholar
- Brimson, J. A. (1991). Activity accounting: An activity-based costing approach (pp. 7–10). New York: Wiley.Google Scholar
- Butler, S. A. (2002). Security attribute evaluation method: a cost-benefit approach. In Proc 24th International Conference on Software Engineering, Orlando, Florida, USA.Google Scholar
- Everaert, P., & Bruggeman, W. (2007). Time-driven activity-based costing: exploring the underlying model. Cost Management, 21(2), 16–20.Google Scholar
- Garrison, R. H., Noreen, E. W., & Brewer, P. C. (2006). Managerial accounting (11th ed., p. 4). Boston: McGraw-Hill.Google Scholar
- Gosselin, M. (2006). A review of activity-based costing: technique. Implementation, and Consequences, Handbook of Management Accounting Research, 2, 641–671.Google Scholar
- Greenfield, R., & Tichenor, C. (2009). A model to quantify the return on information assurance. CrossTalk—The Journal of Defense Software Engineering, 22(2), 18–22.Google Scholar
- Higher Education Information Security Council, Incident Cost Analysis and Modeling Project (ICAMP) Final Report 1, Committee on Institutional Cooperation (CIC) Security Working Group, Higher Education Information Security Council, USA, (1988). Available at: http://www.educause.edu/Resources/IncidentCostAnalysisandModelin/152711.
- Higher Education Information Security Council, Incident Cost Analysis and Modeling Project (ICAMP) Final Report 2, Committee on Institutional Cooperation (CIC) Security Working Group, Higher Education Information Security Council, USA, (2000). Available at: http://www.educause.edu/Resources/IncidentCostAnalysisandModelin/152712
- Iltuzer, Z., Tas, O., & Gozlu, S. (2007). Implementation of activity-based costing in e-Businesses. In Proc PICMET 2007, Portland, Oregon, USA.Google Scholar
- JExcelApi, Java Excel API, See http://jexcelapi.sourceforge.net/.
- Jones, R. L. (1998). Activity-based costing (ABC) in army garrisons. Armed Forces Comptroller, 43(4), 11–15.Google Scholar
- Kaplan, R. S., & Anderson, S. R. (2004). Time-driven activity-based costing. Harvard Business Review, 82(11), 131–138.Google Scholar
- Kaplan, R. S., & Anderson, S. R. (2007a). The innovation of time-driven activity-based costing. Cost Management, 21(2), 5–15.Google Scholar
- Kaplan, R. S., & Anderson, S. R. (2007b). Time-driven activity-based costing: A simpler and more powerful path to higher profits (pp. 3–18). Boston: Harvard Business School Press.Google Scholar
- L’Ecuyer, P. & Buist, E. (2005). Simulation in Java with SSJ, in Proc 2005 Winter Simulation Conference. Orlando, Florida, USA.Google Scholar
- Leslie Gardner, L., Grant, M. E., & Rolston, L. J. (2000). Using simulation to benchmark traditional vs. activity-based costing in product mix decisions. In Proc 1994 Winter Simulation Conference, Orlando, Florida, USA.Google Scholar
- Kruse, W. G., & Heiser, J. G. (2001). Computer forensics: Incident response essentials (p. 1). Boston: Addison-Wesley Professional.Google Scholar
- Peters, S. (2009). 14th annual CSI computer crime and security survey executive summary. New York: Computer Security Institute.Google Scholar
- Ponemon, L. (2006). Annual study: Cost of a data breach, Ponemon Institute, October, 2006. Available at http://download.pgp.com/pdfs/Ponemon2-Breach-Survey_061020_F.pdf.
- Rowlingson, R. (2004). A ten step process for forensic readiness. International Journal of Digital Evidence, 2(3), 1–28.Google Scholar
- Savola, R. M. (2007). Towards a taxonomy for information security metrics. In Proc 2007 ACM Workshop on Quality of Protection, Alexandria, Virginia, USA.Google Scholar
- South Africa, Regulation of Interception of Communications and Provision of Communication-related Information Act (2002). Available at http://www.info.gov.za/acts/2002/a70-02/.
- Stewart, B. (1999). Privacy impact assessment: towards a better informed process for evaluating privacy issues arising from new technologies. Privacy Law & Policy Reporter, 5(8), 147–149. Available at http://www.austlii.edu.au/cgi-bin/disp.pl/au/journals/PLPR/1999/8.html.Google Scholar
- Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems—Recommendations of the national institute of standards and technology. Falls Church: National Institute of Standards and Technology.Google Scholar
- Sun, Y., Zhao, S., Liu, W., & Xu, H. (2007). Research on a manufacturing cost estimating method based on ABC for aeronautic product. In Proc International Conference on Wireless Communications, Networking and Mobile Computing, Shanghai.Google Scholar
- Szychta, A. (2010). Time-driven activity-based costing in service industries. Social Sciences/Socialiniai mokslai, 67(1), 49–60.Google Scholar
- Tichenor, C. (2007). A model to quantify the return on investment of information assurance. The DISAM Journal of International Security Assistance Management, 29(3), 125–134.Google Scholar
- Université de Montréal, SSJ. Stochastic Simulation in Java, See http://www.iro.umontreal.ca/~simardr/ssj/indexe.html.
- von Beck, U. & Nowa, J. W. (2000). The merger of discrete event simulation with activity based costing for cost estimation in manufacturing environments. In Proc 2000 Winter Simulation Conference, Orlando, Florida, USA.Google Scholar
- Yasinsac, A. & Manzano, Y. (2001). Policies to enhance computer and network forensics. In Proc 2001 IEEE Workshop on Information Assurance and Security, New York, USA.Google Scholar