Skip to main content
SpringerLink
Log in

Business Oriented Information Security Management – A Layered Approach

  • Conference paper
On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS (OTM 2007)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4804))

Abstract

Information Security Management has become a top management priority due to a highly increasing economical dependency on information and its underlying information and communication technologies. While several efforts have been undertaken to set up physical, technical and organizational concepts to secure the information infrastructure, economic aspects have been widely neglected despite of an increasing management interest. This paper presents a layered model for managing information security with a strong economic focus by introducing a comprehensive concept which specifically links business and information security goals.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Heinrich, L.J.: Informationsmanagement. Planung, Überwachung und Steuerung der Informationsinfrastruktur. Völlig überarbeitete und ergänzte Auflage. München/Wien 7 (2002)

    Google Scholar 

  2. Sinnett, W.M., Boltin, G.: IT Security, Investment Top CFO Concerns. Financial Executive 22(5), 42–44 (2006)

    Google Scholar 

  3. Kevin J.S.H.: How Much Is Enough? A Risk-Management Approach to Computer Security, Consortium for Research on Information Security and Policy (CRISP), Stanford University (June 2000)

    Google Scholar 

  4. Blakely, B.: Return on Security Investment: An Imprecise but Necessary Calculation, Secure Business Quarterly (SBQ) 1(2) (2001)

    Google Scholar 

  5. Wei, H., Frinke, D., Carter, O., Ritter, C.: Cost-Benefit Analysis for Network Intrusion Detection Systems, Center for Secure and Dependable Software, University of Idaho (October 2001)

    Google Scholar 

  6. Butler, S.A.: Security Attribute Evaluation Method: A Cost-Benefit Approach, Computer Science Department, Carnegie Mellon University (2002)

    Google Scholar 

  7. Gordon, L.A., Loeb, M.P.: The Economics of Information Security Investment. ACM Transactions on Information and System Security 5(4) (November 2002)

    Google Scholar 

  8. Schechter, S.: Quantitatively Differentiating System Security. Harvard University, Cambridge (2002)

    Google Scholar 

  9. Vossbein, R.: Nutzen der IT-Sicherheit unter Berücksichtigung der Kostenaspekte (IT-Sicherheitscontrolling), Presentation at the Secure convention 2003 (2003)

    Google Scholar 

  10. Loomans, D.C.: Information Risk Scorecard macht Sicherheitskosten transparent. In: Mörike, M. (ed.) HMD 236 Praxis der Wirschaftsinformatik - IT-Sicherheit (2004)

    Google Scholar 

  11. OICT, Return on Investment for Information Security: A Guide for Government Agencies Calculating Return on Security Investment, NSW Department of Commerce Office of Information and Communications Technology (OICT), Version 7.1.15, http://www.oit.nsw.gov.au/content/7.1.15.ROSI.asp (2004)

    Google Scholar 

  12. Cavusoglu, H., Mishra, B., Raghunathan, S.: A Model for Evaluating IT Security Investments. Communications of the ACM 47(7) (2004)

    Google Scholar 

  13. Pohlman, N., Blumberg, H.: Wirtschaftlichkeitsbetrachtungen von IT-Schutzmaßnahmen. In: Der IT-Sicherheitsleitfaden: Das Pflichtenheft zur Implementierung von IT-Sicherheitsstandards im Unternehmen (mitp publishing house), Norbert Pohlmann, Hartmut Blumberg (2004)

    Google Scholar 

  14. Hash, J., Bartol, N., Rollins, H., Robinson, W., Abeles, J., Batdorff, S.: Integrating IT Security into the Capital Planning and Investment Control Process, National Institute of Standards and Technology (NIST), NIST Special Publication 800-65, Draft Version 0.17 (June 2004)

    Google Scholar 

  15. Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems, National Institute of Standards and Technology (NIST), NIST Special Publication 800-55 (July 2004)

    Google Scholar 

  16. Schmidpeter, H.: Modell-basiertes Return on Security Investment (RoSI) im IS Management der Münchener Rückversicherung, Doctoral Dissertation, Lehrstuhl für Software & Systems Engineering (Prof. Dr. Dr. h.c. Manfred Broy), TU Munich (2005)

    Google Scholar 

  17. Anderson, R., Moore, T.: The Economics of Information Security. Science 314(5799), 610–613 (2006)

    Article  Google Scholar 

  18. Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources – A Cost-Benefit Analysis. McGraw-Hill, New York (2006)

    Google Scholar 

  19. Bazavon, I.V., Lim, I.: Information Security Cost Management, Auerbach Publications (2007)

    Google Scholar 

  20. International Organization for Standardization, ISO/IEC 17799:2005 Information technology - Code of practice for information security management

    Google Scholar 

  21. Organization for Standardization, ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems – Requirements

    Google Scholar 

  22. Ulrich, H.: Die Unternehmung als produktives soziales System. Grundlagen der allgemeinen Unternehmungslehre. 2., überarbeite Auflage. Bern u.a. (1970)

    Google Scholar 

  23. Kaplan, R.S., Norton, D.P.: Using the Balanced Scorecard as a Strategic Management System. Harvard Business Review 74(1), 75–85 (1996)

    Google Scholar 

  24. Kaplan, R.S., Norton, D.P.: The Balanced Scorecard: Measures That Drive Performance. Harvard Business Review 83(7/8), 172–180 (2005)

    Google Scholar 

  25. Baschin, A.: Die Balanced Scorecard für Ihren Informationstechnologie-Bereich. Ein Leitfaden für Aufbau und Einführung. Frankfurt/Main (2001)

    Google Scholar 

  26. Deming Cycle, More information (2007), available at http://www.deming.org/

  27. Sherwood, J., Clark, A., Lynas, D.: Enterprise Security Architecture, A Business Driven Approach, CMP Books (2005)

    Google Scholar 

  28. FIRM (Fundamental Information Risk Management). Information Security Forum. Member Access Only, http://www.securityforum.org/html/frameset.htm

  29. Xerox Corporation: Leadership through quality: Implementing competitive benchmarking (1987)

    Google Scholar 

  30. Klempt, P.: Effiziente Reduktion von IT-Risiken im Rahmen des Risikomanagementprozesses. Doctoral Thesis. Ruhr University in Bochum (2007)

    Google Scholar 

  31. BSI: IT-Grundschutzkataloge, Stand (November 2005)

    Google Scholar 

  32. BSI: BSI-Standard 100-2: IT-Grundschutz Methodology, Version 1.0 (2005)

    Google Scholar 

  33. Werners, B., Klempt, P.: Risikoanalyse und Auswahl von Maßnahmen zur Gewährleistung der IT-Sicherheit. In: Haasis, H., Kopfer, H., Schönberger, J. (Hrsg.): Operations Research Proceedings, pp. 545–550 (2005)

    Google Scholar 

  34. Schneier, B.: Secrets & Lies, 1. Auflage, Heidelberg u.a (2001)

    Google Scholar 

  35. Zimmermann, H.-J.: Fuzzy set theorie – and its applications, 4., überarb. Auflage, Boston u.a. (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for E-Business Security, Ruhr-University of Bochum, GC 3/29, 44780 Bochum, Germany

    Philipp Klempt

  2. sd&m AG, Carl-Wery-Straße 42, 81739 Munich, Germany

    Hannes Schmidpeter

  3. Head of Management, Institute for E-Business Security, Ruhr-University of Bochum, GC 3/29, 44780 Bochum, Germany

    Sebastian Sowa

  4. Program Manager Security, Munich Re, 80805 Munich, Germany

    Lampros Tsinas

Authors
  1. Philipp Klempt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hannes Schmidpeter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sebastian Sowa
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lampros Tsinas
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Robert Meersman Zahir Tari

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Klempt, P., Schmidpeter, H., Sowa, S., Tsinas, L. (2007). Business Oriented Information Security Management – A Layered Approach. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. OTM 2007. Lecture Notes in Computer Science, vol 4804. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76843-2_49

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-76843-2_49

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-76835-7

  • Online ISBN: 978-3-540-76843-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation