Portfolio pproch to informtion technology security resource lloction decisions Shivrj Knungo Deprtment of Decision Sciences The George Wshington University Wshington DC 20052 knungo@gwu.edu Abstrct This pper presents portfolio optimiztion pproch to informtion technology (IT) security investment decisions in n orgniztion. This pproch hs been motivted by the extreme vritions tht re found in IT security requirements for orgniztions in ddition to the diversity of strting conditions found in orgniztions tht choose to embrk on forml pproch to mnging their security. Often, budgetry lloction is mde for IT security nd IT mngers nd mngement re fced with the problem of how to llocte these monies or resources cross competing projects nd products tht cn potentilly improve or enhnce IT security in n orgniztion. Insted of rnking or rting the vrious lterntives bsed on their benefits only, it is demonstrted how, by identifying orgniztionl objectives, nd then ligning the decisions with the objectives, one cn optimlly llocte resources cross the IT security portfolio. The pproch in this pper hs been to provide generic decision frmework tht cn be customized by prctitioners nd fine-tuned by other reserchers. The pproch is explined nd then the results re discussed using cse study. Both the strengths nd weknesses of this pproch re highlighted nd suggestions for how this pproch cn be deployed nd enhnced re provided. Keywords: IT security, resource lloction, decision theory, nlytic hierrchy process, optimiztion Introduction Spending on IT security is projected to grow by 24 percent (compounded nnully) between 2001 nd 2006 (Roberts 2003). Orgniztions re spending hevily not only on IT security but lso on security in generl. As the IS function mtures, mny orgniztions hve forml informtion system pln (which my include n IT pln lso). This implies tht there exists forml IS strtegy tht is ligned with the orgniztionl strtegy. In such cses, we cn ssume tht the informtion security pln would be prt of the lrger IS pln. By impliction, since the informtion security pln would be derived from, nd consistent with, the IS pln, it would lso be ligned with the orgniztionl strtegy. The issue of spending on IT security is well summed up by Levinson (2002) who quotes n IT professionl, we hve no fer of spending money, but we hve to do it wisely. 286
According to Swnson et l. (2003), resource lloction responsibilities, in vrious forms, reside with the hed of the orgniztion, the CIO, the security progrm mnger nd the progrm mnger or the system owner. The ultimte responsibility, however, resides with the hed of the orgniztion. While Swnson et l. (2003) refer to federl government gencies, this distribution of responsibility holds for ny orgniztion in generl. The impliction of such shred nd ultimte responsibility is tht every decision mker nd (preferbly) every orgniztionl stkeholder needs to understnd why certin decisions were tken, how they were tken nd the implictions of such decisions going wrong. The problem for ny mnger requesting funds is to convince budgetry uthorities to llocte the requisite resources (most typiclly, funds). The problem for the individul(s) who mke the lloction decision is to understnd the need for such funds nd then mke decisions well wre of the trdeoffs tht my ensue. In essence, informtion security decisions, like mny decisions, need first, trnsprent decision process nd second, prsimonious wy of communicting the decision frmework. In essence, IT security resource lloction decisions require significnt orgniztionl investments. The gol of such decisions is to mximize the vlue of such investments (whether one time or ongoing). The objective of this pper is to present one such decision mking frmework tht helps orgniztions nlyze nd understnd their security concerns in ddition to helping them leverge their investments in informtion security. The pper is presented s follows. First the IT security investment problem is described nd definitions of key terms re provided. Then portfolio optimiztion pproch to the problem is proposed. Such nd pproch is justified primrily by invoking the contextul nd unique nture of IT security needs of n orgniztion. Then the ppliction of this pproch is presented using rel life cse study to explin how the model ws developed nd how the results cn be interpreted. The pper is concluded by pointing out some weknesses of this pproch s lso highlighting the strengths. In ddition suggestions for improving this frmework re lso mde. Problem description In n orgniztion, informtion security or informtion technology security often rers itself s criticl issue. This mens tht orgniztions often wke up to security problems when they ctully encounter (or expect to encounter) security-relted incident or when security incident hs occurred in nother orgniztion tht this proximl to itself incresing the likelihood of its hppening in tht orgniztion. Alterntively, orgniztions cn be mndted by regultory bodies to meet minimum security stndrds. Budgetry processes re instrumentl in driving most investment decisions in orgniztions (OMB 2005). Given tht IT security-relted decisions fll into the criticl ctegory nd tht there is often regultory dedline or high opportunity cost ssocited with mking mistkes with such decisions, there re two, often, conflicting gols in this decision-mking sitution () tke decision expeditiously nd, t the sme time, (b) exercise due diligence. 28
The decision is often compounded by the fct tht there lwys so much to do when it comes to IT security simply becuse there re so mny potentil vulnerbilities in ny orgniztionl system (not just the informtion system). Aprt from the informtion technology infrstructure (tht, mong other things, includes networks, dtbses nd pplictions), orgniztionl processes hve to be mde secure just s people hve to be trined to chnge their security relted behviors. Not only does this tke high initil investment, it lso requires continuous strem of recurrent investments to reinforce nd sustin the existing stndrds of IT security. As result, the IT security investment decision is one tht needs to be mde every yer in order to ressess the IT security gols nd relign investments (or spending) with those gols. The nture of orgniztionl decision-mking is not perfect. Previling orgniztionl bises nd tensions due to competing demnds for the sme set of resources nd the lck of perfect informtion require tht trdeoffs be mde nd in doing so judgments be used. Judgments re subjective nd we need to encpsulte such subjectivity in meningful wy. For instnce, when compring two security products (sy, firewll), regrdless of how crefully we develop criteri to compre them, there will eventully remin level of subjectivity when we compre these products bsed on those criteri. More importntly, when we ttempt to evlute the vlue of n investment in IT security such n evlution is necessrily multifceted nd complex. The reserch motivtion for this pper ws provided by Bodin et l. (2005) who hve identified the need for using quntittive mesures (like NPV) nd Gordon nd Loeb (2006) who hve identified AHP s one of the pproches to resource lloction in IT security decisions. While both ppers ttempt to provide bsis to mke meningful investments for IT security, there gps tht cn be ddressed. For instnce, Gordon nd Loeb (2006) cknowledge tht the bility to ccurtely estimte benefits is key fctor in using NPV effectively. However, s Rodewld (2005) hs observed ROI is poor metric to use when compring IT security investments to investments tht yield tngible return. So, in this pper, multi-ttribute mesure to evlute IT security benefits is suggested. Secondly, Bodin et l. (2005) hve suggested tht the rtio of benefits to costs my be better metric to employ when mking resource lloction decisions in the context of IT security. It is shown tht such n pproch my not be indeed so nd tht focusing on benefits is the most optiml pproch. Methodology Liner progrmming pproch is combined with the nlyticl hierrchy process to demonstrte how IT security investments cn be effectively leverged by n orgniztion. While every orgniztion hs its own specific gols IT-security relted objectives, we present somewht generic pproch (tht cn be customized by other users) by identifying three brod objectives (G1, G2 nd G3) bsed on security service ctegories shown in Tble 1. Security service Ctegory Description Security Progrm (C11) Mngement Mngement objectives: re those tht hve to do with Security Policy (C12) (G1) the orgniztion s overll computer security progrm. 288
Risk Mngement (C13) Security Architecture (C14) Certifiction nd Accredittion (C15) Security Evlution of IT Products (C16) Contingency Plnning (C21) Incident Hndling (C22) Testing (C23) Trining (C24) Firewlls (C31) Intrusion Detection (C32) Public Key Infrstructure (C33) Opertionl (G2) Technicl (G3) These gols re met bsed on how well the computer security progrm nd risk re mnged within the orgniztion. These could include meeting regultory complince nd minimize enterprise-wide disruptions. Opertionl objectives: re focused on controls implemented nd executed by people (s opposed to systems). For these gols to be met technicl or specilized expertise tht rely on mngement ctivities nd technicl controls need to be in plce. These gols could include meeting certin level of diffusion of personl firewlls in the orgniztion nd ensuring certin cycle time for recovering from virus ttck. Technicl objectives: hve to do with security controls involving computer system. These gols depend on the proper functioning of the system. These gols could include n upper bound on the number of successful virus ttcks or ensuring tht certin minimum number of computers re prt of third-prty uthentiction frmework. Tble 1. Security services nd gols (Adpted from Grnce et l., 2003, p. 5-1) The logic of the pproch is tht the resources being invested in IT security hve to be ligned with the IT security gols. Once the objectives re identified nd the lterntives identified (these re projects or inititives tht re shown in Appendix A), the criteri re estblished to evlute how well certin lterntives meets prticulr spect of gol. These re shown in Tble 1 in the first column. For instnce the mngement objective hs six components. For instnce C23 is the third criterion for the second gol. An lterntive is evluted on how importnt it is to meeting the requirements of ech component. Bsed on this the decision hierrchy tht we develop is shown in Figure 1. The 8 lterntives (A1 through ) re shown hnging from ech of the criteri tht hve been identified. The decision hierrchy lso shows tht t ech node we hve comprison mtrix, the order of which is the number of elements being compred. For instnce, t the gol node, the comprison mtrix is of order 3, since there re three gols being compred. 289
Gol 12 13 23 12 13 23 14 24 34 15 25 35 45 16 26 36 46 56 12 13 14 23 24 34 12 G1 G2 G3 13 23 C11 C12 C13 C14 C15 C16 C21 C22 C23 C24 C31 C32 C33 A A A A A A Figure 1. The AHP hierrchy used to generte priorities for the eight projects shown in Appendix A The pproch to constructing the AHP hierrchy in this pper deprts from tht dopted by Gordon nd Loeb (2005) in tht the gol of IT security is designed to be mximlly ligned with tht of the orgniztionl gols. Hence, one does not necessrily hve to limit themselves to technicl criteri. Using this pproch llows n orgniztion to dopt more integrtive pproch towrd conceptulizing nd budgeting for IT security. Using this tree, reltive importnce of the gols is mesured using pir-wise comprison. This step is repeted for the criteri to evlute ech lterntive. After prioritizing the objectives, the IT security lterntives re scored, using either pir-wise comprisons (which cn be tedious) or bsolute rting scles nd utility curves (typiclly non-liner). Once the finl priorities for the lterntives re obtined, they re subjected to sensitivity nlysis to ensure tht the judgments re vlid. The complete set of results re shown in Appendix B. Following this, the portfolio for benefits subject to funding is optimized bsed on dependency nd other constrints. The typicl form for this optimiztion would be n Mximize Expected vlue of IT security Benefits = B i Subject to 1. Budget constrint 2. Dependency constrint (if x is funded, then y hs to be funded or not funded) 3. Some projects cn be prtilly funded while other cn not be 4. Specific constrints Where B i is the benefit ssocited with the i th project. B i s cn be generted s AHP priorities (since they re generlly qulittive) or by some other method. In this study ExpertChoice version 11.1.3628 ws used to generte benefit priorities using the AHP hierrchy shown in Figure 1. These computtions cn lso be ccomplished using Microsoft Excel nd the built-in optimizer (the Solver Addin). A i= 1 A A A A A A 290
Dt nd Anlysis In this section the dt re presented tht were be used to llocte resources mong IT security lterntives. Issues such s which projects re funded nd why, wht the trdeoffs re, wht the nture of those trdeoffs re, nd wht re the implictions of using different pproches to llocting resources for IT security inititives re scrutinized. Tble 2 shows the benefits derived using the AHP structure shown in Figure 1 (See Appendix B). A1 through re the lef nodes for the tree shown in Figure 1. The vilble budget is tken to be $200,000 (See Appendix A). Project Id A1 Project definition End user trining (trining progrms nd online mteril development) Benefit Cost ($) 0.082 56000 End user support (firewll nd nti virus softwre) 0.124 24000 A3 Upgrde nd mintin server for firewll 0.108 25000 A4 A5 A6 Revise nd improve security process udit nd qulity office process Estblish IT security tsk force (for security plnning nd coordintion) Estblish seprte security progrm office (for SOX nd regultory complince reporting) 0.08 43000 0.053 25000 0.123 5000 A Security opertions group trining (5 progrms per yer) 0.03 59000 Emil spm filter enhncement 0.053 12000 Tble 2. List of ll the projects, their benefits nd the ssocited costs Three pproches re presented to llocted resources cross IT security projects. They include benefit mximiztion, benefit to cost rtion mximiztion nd mximiztion of benefits using liner progrmming. Benefit mximiztion When ttempting to mximize benefits the project tht provides the mximum benefit is chosen nd selected to be funded. Then the project with the next highest benefit is picked select to be funded nd this process continues till the budget is exhusted or the next project to be funded mkes the totl cost exceed the vilble budget. Tble 3 shows tht if project A4 is funded the totl lloction exceeds the budgeted mount of $200,000. Project Cumultive Benefit Cost Id cost 0.124 24000 24000 A6 0.123 5000 99000 A3 0.108 25000 124000 291
A1 0.082 56000 180000 A4 0.08 43000 223000 A 0.03 59000 282000 A5 0.053 25000 30000 0.053 12000 319000 Tble 3. Benefits, costs nd cumultive costs for the projects sorted by benefits Totl benefits dd up to 0.694 nd the ctul benefits (from the projects tht were funded) dd up to 0.43. Similrly ll the benefits to cost rtios dd up to 2.218E-05 nd the totl of benefits to cost rtios of projects tht were ctully funded dd up to 1.259E-05 1. Hence the effectiveness of this lloction from benefit mximiztion perspective is 63.0% 2. Similrly, the effectiveness of this lloction from benefit to cost mximiztion stndpoint is 56.8%. Benefit/cost rtio mximiztion The pproch to mximizing the totl of benefit to cost rtios is identicl to the pproch for mximizing benefits. The primry difference is tht insted of using benefits to select projects, benefits to cost rtios re used to mke the selection. Tble 4 shows the projects sorted in descending order bsed on the benefit/cost rtio. The project with the highest benefit to cost rtio (in this cse project A1) is chosen to be funded, followed by the project with the next highest benefit to cost rtio nd this process continues till the budget is exhusted or till the next project to be funded mkes the totl lloction overshoot the vilble budget. Note tht by employing this pproch one is ble to fit in one more projects into the vilble budget. While, budget utiliztion ws not n explicit gol, this pproch hs been ble to increse benefits in such s wy tht more projects re funded. Project Benefit / Cumultive Benefit Cost Id cost cost A1 0.124 24000 5.16E-06 24000 0.053 12000 4.41E-06 36000 A3 0.108 25000 4.320E-06 61000 A 0.053 25000 2.120E-06 86000 A5 0.08 43000 1.814E-06 129000 0.123 5000 1.640E-06 204000 A4 0.082 56000 1.464E-06 260000 A6 0.03 59000 1.23E-06 319000 Tble 4. Benefits, costs, benefits/costs nd cumultive costs for the projects sorted by benefits/costs 1 Actul totl benefits re composed of ll the benefits bove the dshed line in Tble 3. Similrly ctul totl benefits to cost rtios re computed from the sme set of projects tht re bove the dotted line. 2 (0.43/0.694)*100 = 63.0% 292
Using this pproch nd s shown in section 4.1, the effectiveness of lloction from benefit mximiztion stndpoint is 59.9% nd from benefit to cost mximiztion stndpoint is 80.4%. Benefit mximiztion with budget constrints In this pproch liner progrmming (LP) is used to mximize benefits subject to budget constrints. The cnonicl form of the generlized LP formultion becomes Mximize IT security benefits = B i F i Subject to the following constrints n i=1 C F Budget i i n i= 1 All F i s re integers tht cn tke vlue 0 or 1 Where B i = benefit ssocited with lterntive i C i = cost ssocited with lterntive i F i = decision vrible ssocited with lterntive i For this problem, B i s nd C i s re obtined from the benefits nd cost columns respectively in Tble 2. Solving for F i s, we obtin the following solution: F 1 = F 3 = F 4 = F 5 = F = F 8 = 1 nd F 2 = F 6 = 0. This implies tht projects/inititives 2 nd 6 re not funded; everything else is. Using this pproch the effectiveness of lloction from benefit mximiztion perspective is 1.6% nd from the benefits to costs rtio stndpoint is 8.03%. Tble 5 summrizes the results. Effectiveness of lloction with respect to Approch Benefits/Costs Benefits Rtio Benefit mximiztion 63.0% 56.8% Benefit to cost mximiztion 59.9% 80.4% Liner Optimiztion 1.6% 8.03% Tble 5. Effectiveness of three resource lloction pproches from the benefits nd benefits/costs rtio perspectives. Tble 5 clerly shows tht the optimiztion pproch is much more effective thn the either the benefit mximiztion or the benefits/costs mximiztion pproch. 293
Discussion The issues of how nd why one obtins better resource lloction effectiveness when we one uses LP nd why it mkes sense in the context of IT security investments is tken up for discussion. Subsequently, how this pproch hs been ble to meet the two decision objective tht hd identified in the beginning of the pper is tken up for discussion. In terms of IT security portfolio decision effectiveness, it is cler from Tble 5 tht singulr focus on IT security benefits fils to provide the most effective lloction policy for IT security resources. Figure 2 shows comprison of IT security resource lloction pproches by using three efficient frontiers for ech of the lloction pproches. The numbers bove the rrows show the number of projects tht cn be funded using prticulr pproch. For instnce using the benefits only pproch (Section 4.1) we cn only fund four projects. 6 5 4 Figure 2. Comprtive effectiveness for resource lloction strtegies. Interestingly, the pproch tht hs been dvnced by Bodin et l. (2005) is shown to be the lest effective. They propose tht the rtio of benefits to costs cn be used to provide more bng for the buck. However, s the second efficient frontier (bsed on the benefits/costs rtio) shows, the efficiency, in terms of mximizing benefits, is consistently lower thn the other two pproches. So, while the effectiveness of this pproch is more thn tht of relying purely on benefits to llocte resources, it is less effective thn the LP-bsed resource lloction pproch. While this my not lwys be so (Formn 2001), the LP-bsed benefit mximiztion pproch mkes sense becuse our im is to mximize the benefits ssocited with IT security. The gol in the pproch dopted in this pper is not to spend s much of the budgeted mount s possible. While the ltter my be relistic orgniztionl gol (to void budget reductions in subsequent budgeting cycles, especilly in orgniztions tht prctice zero-bsed budgeting), it is fr 294
more importnt to spred the investment. From n IT security perspective it is more importnt to provide coverge for ll identified res of vulnerbilities thn to optimize one or two selected res. Therefore, it is more effective to fund two smller IT security projects, the combined vlue for which my be (mrginlly) more thn one lrge project tht my send the cumultive cost over budget. It hs been shown tht the proposed method for mking IT security portfolio decisions is prsimonious. This shows tht one of the gols of decision-mking in the context of IT security hs been met. As mentioned in the beginning of this pper, one of the gols of decision mking in the context of IT security is to tke decisions expeditiously. This implies tht prsimonious decision mking frmework is needed one tht helps decision mkers tke the best decision without investing unresonble time nd resources. While there re lterntive pproches s those suggested by Butler (2002), Gordon nd Loeb (2006) nd Cvusoglu et l. (2004), they re encumbered by the need to collect lrge body of informtion tht is either composed of rre events (IT security filures nd ssocited estimtes of costs tht cn be ttributed to such filures) or series of estimtes. The suggested pproch is lso extensible in tht if, the gol ws to minimize risk, then insted of ssessing benefits, risks could be expressly ddressed. In ddition, if benefits re combined with risks, one could compute expected benefits. This could done so by computing risks for ech lterntive using seprte AHP model nd use the priorities tht re generted s probbilities of filure (p) ssocited with the different project. The expected vlue of ech of the lterntives could then be obtined by multiplying benefits by (1-p,) the probbility of success. The pproch to IT security decisions presented in this pper lso meets the objective of ensuring due diligence. Identifying the orgniztionl IT security gols nd further by identifying the criteri tht re used to evlute how these orgniztionl security gols re met, not only ensures tht the decision problem is fully enumerted (from completeness perspective), but lso ensures tht n orgniztion responds to IT security issues tht re specific to its context nd not generic security tht form prt of the best prctices pproch. Neubuer et l. (2005) hve identified the criticlity of orgniztionspecificity in the context of IT security relted investment decisions. Conclusion This pper hs shown how to formulte the IT security portfolio decision s one where multiple lterntives (inititives or projects) cn to be evluted bsed on multiple criteri (some of which my be subjective) in order to meet multiple gols (mny of which my conflict with ech other). A generic pproch to IT security resource lloction hs been provided tht is flexible nd cn be customized for ny orgniztion. In doing so, it hs been demonstrted how IT security investments decisions cn be mximlly ligned with the orgniztionl security gols. In ddition, given the bsence of normtive bsis to judge how good decision is, it hs been shown how to optimize IT security resource lloction decisions keeping in mind the orgniztionl context nd other singulrities tht re specific to the decision t hnd. This work cn be extended nd enriched by 295
incorporting constrints tht re not budgetry. These include those constrints tht involve must fund projects, dependency constrints (if project A is funded then project B hs to be funded or if project A is funded then project B cn not be funded) nd constrints tht llow projects to be prtilly funded. In summry, it is believed tht the proposed pproch to IT security resource lloction will llow n orgniztion to mximize the vlue of its IT security investments, improve communiction nd lignment between IT groups, user nd mngers nd llow It security plnners to schedule resources more efficiently. References Bodin, L. D.; Gordon, L. A. nd Loeb, M. P. Evlution informtion Security investments using the Anlytic Hierrchy Process, Communictions of the ACM, (48:2), 2005, pp. 9-83. Butler, S. A. Security Attribute Evlution Method: A Cost-Benefit Approch, Proceedings of the 24th Interntionl Conference on Softwre Engineering (ICSE 2002), Orlndo, FL, 2002, pp. 232 240. Formn, E. H. nd Selly, M., A. Decision by Objectives, World Scientific Publishing Co: River Edge, NJ, 2001. Gordon, L. A. nd Loeb, M. P. Budgeting Process for informtion security expenditures, Communictions of the ACM, (49:1), 2006, pp. 121-125. Grnce, T.; Hsh, J.; Stevens, M.; O Nel, K.; nd Brtol, N. Guide to Informtion Technology Security Services Recommendtions of the Ntionl Institute of Stndrds nd Technology, NIST Specil Publiction 800-35, 2003, http://csrc.nist.gov/publictions/nistpubs/800-35/nist-sp800-35.pdf (lst ccessed on Mrch 22, 2006). Neubuer, T.; Klemen, M. nd Biffl, S. Business process-bsed vlution of ITsecurity, ACM SIGSOFT Softwre Engineering Notes, 2005, (30:4), pp. 1-5. OMB Circulr No. A 11. Informtion technology nd e-government, 2005, http://www.whitehouse.gov/omb/circulrs/11/current_yer/s53.pdf (lst ccessed on Mrch 22, 2006). Roberts, P. Security Spending Swells, IDG News Service (PC World), 2003, http://www.pcworld.com/news/rticle/0,id,109221,00.sp. (lst ccessed on Mrch 22, 2006). Swnson, M.; Brtol, N.; Sbto, J.; Hsh, J. nd Grffo, L. Security Metrics Guide for Informtion Technology Systems, NIST Specil Publiction 800-55, 2003, http://csrc.nist.gov/publictions/nistpubs/800-55/sp800-55.pdf. (lst ccessed on Mrch 22, 2006). Whetmn. V.; Smith, B.; Schroder, N.; Pesctore, J.; Nicolett, M.; Alln, A. nd Mogull, R. Wht Your Orgniztion Should Be Spending for Informtion Security, The Grtner Group, Mrch 2005, 296
http://www.grtner.com/displydocument?doc_cd=12633. (lst ccessed on Mrch 22, 2006). Appendix A: The security projects or inititives The eight security projects of inititives re shown below for n operting division of n orgniztion tht hs mture IT setup nd hs been ccording the highest importnce to IT security s prt of its lrger security nd IT inititive. Since it is finncil institution in lrge urbn setting on the est cost in the US, the $200,000 IT security budget for recurring expenditure items is considered verge 3. Inititive project or End user trining (trining progrms nd online mteril development) End user support (firewll nd nti virus softwre) Upgrde nd mintin server for firewll Revise nd improve security process udit nd qulity office process Estblish IT security tsk force (for security plnning nd coordintion) Estblish seprte security progrm office (for SOX nd regultory complince reporting) Description In-house nd outsourced trining progrms for selected end-users nd their representtives. This is n recurring ctivity tht needs to tke plce every yer. The intent is to ensure tht ll end users re exposed to t lest one such trining progrm every two yers. This is prt of the overll help desk support system. This is n outsourced ctivity nd 2 FTEs (full time equivlent) re budgeted for this ctivity. The bundled cost for the server, instlltion nd testing long with the nnul cost of mintining it is reflected. Security processes need to be revised constntly. One hlf FTE (internl) is budgeted for this ctivity. The IT security tsk force needs to meet every month nd tke decisions on the direction of IT security nd liise with externl bodies like regultory gencies, stndrds bodies nd key business prtners. The cost reflects coordintion, dministrtive nd meeting costs. This requires specific ttention to IT security from the stndpoint of Srbnes-Oxley Act. This office will form the interfce between IT security, internl udit nd the qulity group. One FTE nd office nd dministrtive expenses re budgeted. ($) Budget 56000 24000 25000 43000 25000 95000 3 In generl, orgniztions tend to spend 3 percent to 6 percent of totl IT spending on IT security (Whetmn et l., 2005). 29
Security opertions group trining (5 progrms per yer) Emil spm filter enhncement. This is the set of nnul trining progrm for the internl IT security group professionls. Five progrms ttended by five persons ech nd their trvel nd expenses re budgeted for. Emil spm hs been source of constnt problems. Enhncements of the softwre nd prt- mnpower re reflected in this budgeted figure. 59000 12000 Appendix B: Screenshots for computing smple priorities Figure B2.1. Screen showing the gol, objectives, criteri nd lterntives Figure B2.1 shows how priorities (benefits) ssocited with lterntives were computed. The screenshot shows specific scenrio (not the one used for computtions in the body of the pper). The gol is shown s Mximize IT security Portfolio. The three objectives hve to do with meeting mngement, opertionl nd technicl benefits. The criteri used to ssess the extent to which requirements re met (nd benefits cptured) re shown s the lef nodes on the tree on the left. The number longside ech of the elements shows the importnce of the elements. For instnce, in this cse, the opertionl objectives re rted s.62 while the mngement nd technicl objectives re rted s.063 nd.265 respectively. The dvntge of these rtio scles is tht we cn sy the 298
opertion objective is 2.5 (.62/.265 = 2.54) times more importnt thn the technicl objective nd the technicl objectives re four times (.265/.063 = 4.21) more importnt thn the mngement objectives. The criteri for ech of the objectives re interpreted the sme wy. For instnce, from mngement perspective, certifiction nd ccredittion is 1.2 (.201/.163 = 1.23) times more importnt thn the security rchitecture; or from technicl perspective, the benefits of intrusion detection (in generl) is computed to be one-third (.230/.62 =.342) s importnt s firewlls. In the sme wy, the items on the right side of the screenshot in Figure B2.1 show the lterntives nd their priorities (benefits). The most importnt project (i.e. the one with the highest reltive benefits is Revise nd improve security process udit nd qulity office process followed by Upgrde nd mintin server for firewll. These finl rtings for benefits were produced by providing rtings for ech of the lterntives bsed on ech of the criteri s shown in Figure B2.2. Figure B2.2. Screen showing the lterntives nd how they were rted bsed on ech criterion 299