Abstract
Information Security Management has become a top management priority due to a highly increasing economical dependency on information and its underlying information and communication technologies. While several efforts have been undertaken to set up physical, technical and organizational concepts to secure the information infrastructure, economic aspects have been widely neglected despite of an increasing management interest. This paper presents a layered model for managing information security with a strong economic focus by introducing a comprehensive concept which specifically links business and information security goals.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Heinrich, L.J.: Informationsmanagement. Planung, Überwachung und Steuerung der Informationsinfrastruktur. Völlig überarbeitete und ergänzte Auflage. München/Wien 7 (2002)
Sinnett, W.M., Boltin, G.: IT Security, Investment Top CFO Concerns. Financial Executive 22(5), 42–44 (2006)
Kevin J.S.H.: How Much Is Enough? A Risk-Management Approach to Computer Security, Consortium for Research on Information Security and Policy (CRISP), Stanford University (June 2000)
Blakely, B.: Return on Security Investment: An Imprecise but Necessary Calculation, Secure Business Quarterly (SBQ) 1(2) (2001)
Wei, H., Frinke, D., Carter, O., Ritter, C.: Cost-Benefit Analysis for Network Intrusion Detection Systems, Center for Secure and Dependable Software, University of Idaho (October 2001)
Butler, S.A.: Security Attribute Evaluation Method: A Cost-Benefit Approach, Computer Science Department, Carnegie Mellon University (2002)
Gordon, L.A., Loeb, M.P.: The Economics of Information Security Investment. ACM Transactions on Information and System Security 5(4) (November 2002)
Schechter, S.: Quantitatively Differentiating System Security. Harvard University, Cambridge (2002)
Vossbein, R.: Nutzen der IT-Sicherheit unter Berücksichtigung der Kostenaspekte (IT-Sicherheitscontrolling), Presentation at the Secure convention 2003 (2003)
Loomans, D.C.: Information Risk Scorecard macht Sicherheitskosten transparent. In: Mörike, M. (ed.) HMD 236 Praxis der Wirschaftsinformatik - IT-Sicherheit (2004)
OICT, Return on Investment for Information Security: A Guide for Government Agencies Calculating Return on Security Investment, NSW Department of Commerce Office of Information and Communications Technology (OICT), Version 7.1.15, http://www.oit.nsw.gov.au/content/7.1.15.ROSI.asp (2004)
Cavusoglu, H., Mishra, B., Raghunathan, S.: A Model for Evaluating IT Security Investments. Communications of the ACM 47(7) (2004)
Pohlman, N., Blumberg, H.: Wirtschaftlichkeitsbetrachtungen von IT-Schutzmaßnahmen. In: Der IT-Sicherheitsleitfaden: Das Pflichtenheft zur Implementierung von IT-Sicherheitsstandards im Unternehmen (mitp publishing house), Norbert Pohlmann, Hartmut Blumberg (2004)
Hash, J., Bartol, N., Rollins, H., Robinson, W., Abeles, J., Batdorff, S.: Integrating IT Security into the Capital Planning and Investment Control Process, National Institute of Standards and Technology (NIST), NIST Special Publication 800-65, Draft Version 0.17 (June 2004)
Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems, National Institute of Standards and Technology (NIST), NIST Special Publication 800-55 (July 2004)
Schmidpeter, H.: Modell-basiertes Return on Security Investment (RoSI) im IS Management der Münchener Rückversicherung, Doctoral Dissertation, Lehrstuhl für Software & Systems Engineering (Prof. Dr. Dr. h.c. Manfred Broy), TU Munich (2005)
Anderson, R., Moore, T.: The Economics of Information Security. Science 314(5799), 610–613 (2006)
Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources – A Cost-Benefit Analysis. McGraw-Hill, New York (2006)
Bazavon, I.V., Lim, I.: Information Security Cost Management, Auerbach Publications (2007)
International Organization for Standardization, ISO/IEC 17799:2005 Information technology - Code of practice for information security management
Organization for Standardization, ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems – Requirements
Ulrich, H.: Die Unternehmung als produktives soziales System. Grundlagen der allgemeinen Unternehmungslehre. 2., überarbeite Auflage. Bern u.a. (1970)
Kaplan, R.S., Norton, D.P.: Using the Balanced Scorecard as a Strategic Management System. Harvard Business Review 74(1), 75–85 (1996)
Kaplan, R.S., Norton, D.P.: The Balanced Scorecard: Measures That Drive Performance. Harvard Business Review 83(7/8), 172–180 (2005)
Baschin, A.: Die Balanced Scorecard für Ihren Informationstechnologie-Bereich. Ein Leitfaden für Aufbau und Einführung. Frankfurt/Main (2001)
Deming Cycle, More information (2007), available at http://www.deming.org/
Sherwood, J., Clark, A., Lynas, D.: Enterprise Security Architecture, A Business Driven Approach, CMP Books (2005)
FIRM (Fundamental Information Risk Management). Information Security Forum. Member Access Only, http://www.securityforum.org/html/frameset.htm
Xerox Corporation: Leadership through quality: Implementing competitive benchmarking (1987)
Klempt, P.: Effiziente Reduktion von IT-Risiken im Rahmen des Risikomanagementprozesses. Doctoral Thesis. Ruhr University in Bochum (2007)
BSI: IT-Grundschutzkataloge, Stand (November 2005)
BSI: BSI-Standard 100-2: IT-Grundschutz Methodology, Version 1.0 (2005)
Werners, B., Klempt, P.: Risikoanalyse und Auswahl von Maßnahmen zur Gewährleistung der IT-Sicherheit. In: Haasis, H., Kopfer, H., Schönberger, J. (Hrsg.): Operations Research Proceedings, pp. 545–550 (2005)
Schneier, B.: Secrets & Lies, 1. Auflage, Heidelberg u.a (2001)
Zimmermann, H.-J.: Fuzzy set theorie – and its applications, 4., überarb. Auflage, Boston u.a. (2001)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Klempt, P., Schmidpeter, H., Sowa, S., Tsinas, L. (2007). Business Oriented Information Security Management – A Layered Approach. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. OTM 2007. Lecture Notes in Computer Science, vol 4804. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76843-2_49
Download citation
DOI: https://doi.org/10.1007/978-3-540-76843-2_49
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76835-7
Online ISBN: 978-3-540-76843-2
eBook Packages: Computer ScienceComputer Science (R0)