Abstract
A digital forensic readiness (DFR) programme consists of a number of activities that should be chosen and managed with respect to cost constraints and risk. Traditional cost systems, however, can not provide the cost of individual activities. This makes it difficult or impossible for organisations to consider cost when making decisions about specific activities. In this paper we show that the relatively new cost system, time-driven activity-based costing (TDABC), can be used to determine the cost of implementing and managing activities required for DFR. We show through analysis and simulation that the cost information from a TDABC model can be used for such decisions. We also discuss some of the factors that ought to be considered when implementing or managing the use of TDABC in a large organisation.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Accenture, How Global Organizations Approach the Challenge of Protecting Personal Data (2009). Available at https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx.
Bahli, B., & Rivard, S. (2005). Validating measures of information technology outsourcing risk factors. OMEGA—The International Journal of Management Science, 33, 175–187.
Bain, L. J., & Engelhardt, M. (1992). Introduction to probability and mathematical statistics (2nd ed., p. 115). Boston: PWS-KENT Publishing Company.
Beekman, J. (2007). Activity-based costing of IT. In Proc IEEE International Conference on Exploring Quantifiable IT Yields, Amsterdam, Netherlands.
Brimson, J. A. (1991). Activity accounting: An activity-based costing approach (pp. 7–10). New York: Wiley.
Butler, S. A. (2002). Security attribute evaluation method: a cost-benefit approach. In Proc 24th International Conference on Software Engineering, Orlando, Florida, USA.
Casey, E. (2005). Case study: network intrusion investigation—lessons in forensic preparation. Digital Investigation, 2, 254–260.
Dalci, I., Tanis, V., & Kosan, L. (2010). Customer profitability analysis with time-driven activity-based costing: a case study in a hotel. International Journal of Contemporary Hospitality Management, 22(5), 609–637.
Everaert, P., & Bruggeman, W. (2007). Time-driven activity-based costing: exploring the underlying model. Cost Management, 21(2), 16–20.
Everaert, P., Bruggeman, W., Sarens, G., Anderson, S. R., & Levant, Y. (2008). Cost modeling in logistics using time-driven ABC—Experiences from a wholesaler. International Journal of Physical Distribution & Logistics Management, 38(2), 172–191.
Garrison, R. H., Noreen, E. W., & Brewer, P. C. (2006). Managerial accounting (11th ed., p. 4). Boston: McGraw-Hill.
Glick, N. D., Craig Blackmore, C., & Zelman, W. N. (2000). Extending simulation modeling to activity-based costing for clinical procedures. Journal of Medical Systems, 24(2), 77–89.
Gerlach, J., Neumann, B., Moldauer, E., Argo, M., & Frisby, D. (2002). Determining the cost of IT services. Communications of the ACM, 45(9), 61–67.
Gosselin, M. (2006). A review of activity-based costing: technique. Implementation, and Consequences, Handbook of Management Accounting Research, 2, 641–671.
Greenfield, R., & Tichenor, C. (2009). A model to quantify the return on information assurance. CrossTalk—The Journal of Defense Software Engineering, 22(2), 18–22.
Gunarsekaran, A. (1999). A framework for the design and audit of an activity-based costing system. Managerial Auditing Journal, 14(3), 118–126.
Heitger, D. L. (2007). Estimating activity costs: how the provision of accurate historical activity data from a biased cost system can improve individuals’ cost estimation accuracy. Behavioral Research in Accounting, 19, 133–160.
Helberg, C., Galletly, J. E., & Bicheno, J. R. (1994). Simulating activity-based costing. Industrial Management & Data Systems, 94(9), 3–9.
Higher Education Information Security Council, Incident Cost Analysis and Modeling Project (ICAMP) Final Report 1, Committee on Institutional Cooperation (CIC) Security Working Group, Higher Education Information Security Council, USA, (1988). Available at: http://www.educause.edu/Resources/IncidentCostAnalysisandModelin/152711.
Higher Education Information Security Council, Incident Cost Analysis and Modeling Project (ICAMP) Final Report 2, Committee on Institutional Cooperation (CIC) Security Working Group, Higher Education Information Security Council, USA, (2000). Available at: http://www.educause.edu/Resources/IncidentCostAnalysisandModelin/152712
Iltuzer, Z., Tas, O., & Gozlu, S. (2007). Implementation of activity-based costing in e-Businesses. In Proc PICMET 2007, Portland, Oregon, USA.
JExcelApi, Java Excel API, See http://jexcelapi.sourceforge.net/.
Jones, R. L. (1998). Activity-based costing (ABC) in army garrisons. Armed Forces Comptroller, 43(4), 11–15.
Kaplan, R. S., & Anderson, S. R. (2004). Time-driven activity-based costing. Harvard Business Review, 82(11), 131–138.
Kaplan, R. S., & Anderson, S. R. (2007a). The innovation of time-driven activity-based costing. Cost Management, 21(2), 5–15.
Kaplan, R. S., & Anderson, S. R. (2007b). Time-driven activity-based costing: A simpler and more powerful path to higher profits (pp. 3–18). Boston: Harvard Business School Press.
L’Ecuyer, P. & Buist, E. (2005). Simulation in Java with SSJ, in Proc 2005 Winter Simulation Conference. Orlando, Florida, USA.
Leslie Gardner, L., Grant, M. E., & Rolston, L. J. (2000). Using simulation to benchmark traditional vs. activity-based costing in product mix decisions. In Proc 1994 Winter Simulation Conference, Orlando, Florida, USA.
Kruse, W. G., & Heiser, J. G. (2001). Computer forensics: Incident response essentials (p. 1). Boston: Addison-Wesley Professional.
Malmi, T. (1997). Towards explaining activity-based costing failure: accounting and control in a decentralized organization. Management Accounting Research, 8, 459–480.
Mercuri, R. T. (2003). Analyzing Security Costs. Communications of the ACM, 46(6), 15–18.
Ooi, G., & Soh, C. (2003). Developing an activity-based costing approach for system development and implementation. The DATA BASE for Advances in Information Systems, 34(3), 54–71.
Peters, S. (2009). 14th annual CSI computer crime and security survey executive summary. New York: Computer Security Institute.
Ponemon, L. (2006). Annual study: Cost of a data breach, Ponemon Institute, October, 2006. Available at http://download.pgp.com/pdfs/Ponemon2-Breach-Survey_061020_F.pdf.
Qian, L., & Ben-Arieh, D. (2008). Parametric cost estimation based on activity-based costing: A case study for design and development of rotational parts. International Journal of Production Economics, 113, 805–818.
Rowlingson, R. (2004). A ten step process for forensic readiness. International Journal of Digital Evidence, 2(3), 1–28.
Savola, R. M. (2007). Towards a taxonomy for information security metrics. In Proc 2007 ACM Workshop on Quality of Protection, Alexandria, Virginia, USA.
South Africa, Regulation of Interception of Communications and Provision of Communication-related Information Act (2002). Available at http://www.info.gov.za/acts/2002/a70-02/.
Stewart, B. (1999). Privacy impact assessment: towards a better informed process for evaluating privacy issues arising from new technologies. Privacy Law & Policy Reporter, 5(8), 147–149. Available at http://www.austlii.edu.au/cgi-bin/disp.pl/au/journals/PLPR/1999/8.html.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems—Recommendations of the national institute of standards and technology. Falls Church: National Institute of Standards and Technology.
Sun, Y., Zhao, S., Liu, W., & Xu, H. (2007). Research on a manufacturing cost estimating method based on ABC for aeronautic product. In Proc International Conference on Wireless Communications, Networking and Mobile Computing, Shanghai.
Szychta, A. (2010). Time-driven activity-based costing in service industries. Social Sciences/Socialiniai mokslai, 67(1), 49–60.
Tichenor, C. (2007). A model to quantify the return on investment of information assurance. The DISAM Journal of International Security Assistance Management, 29(3), 125–134.
UcedaVelez, T. (2008). What’s the return on your security investment? The Journal of Corporate Accounting & Finance, 19(5), 61–67.
Université de Montréal, SSJ. Stochastic Simulation in Java, See http://www.iro.umontreal.ca/~simardr/ssj/indexe.html.
von Beck, U. & Nowa, J. W. (2000). The merger of discrete event simulation with activity based costing for cost estimation in manufacturing environments. In Proc 2000 Winter Simulation Conference, Orlando, Florida, USA.
Yasinsac, A. & Manzano, Y. (2001). Policies to enhance computer and network forensics. In Proc 2001 IEEE Workshop on Information Assurance and Security, New York, USA.
Author information
Authors and Affiliations
Corresponding author
Appendix A
Appendix A
Rights and permissions
About this article
Cite this article
Reddy, K., Venter, H.S. & Olivier, M.S. Using time-driven activity-based costing to manage digital forensic readiness in large organisations. Inf Syst Front 14, 1061–1077 (2012). https://doi.org/10.1007/s10796-011-9333-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-011-9333-x