[HGI-News] HGI-Seminar, Montag 4.09.06: Managing IT Security – a Quantifiable Endeavour?

Mo Aug 28 15:09:48 CEST 2006

   Dr. Clemens Martin, University of Ontario Institute of Technology

            Montag 4. September 2006, 13:15 Uhr IC 4 / 39-41

            Managing IT Security – a Quantifiable Endeavour?

Measuring performance of information security becomes an increasing need and
an important tool for management and decision makers in any organization, as
attacks and accompanying financial losses become more and more significant.
Nevertheless, spending on information security programs are under increased
scrutiny for Returns on Investments. From a business perspective it can be
stated, that - as for many other business processes - it holds true for IT
security: "If you cannot measure it, you cannot control it and if you cannot
control it, you cannot improve it".

Metrics are important tools to measure Information security performance for
many reasons. Determining the security posture at any given time goes beyond
today’s practice of regular security assessments. The goal is to be able to
answer the question "How secure am I?" at any given point of time.
Measuring security is one component of ensuring compliance with new laws and
regulations. This is an increasing area of interest for companies in the
North America and Europe, particularly in the light of corporate financial
scandals like Enron and WorldCom. Auditors today want to know how the digital
crown jewels are protected before they issue a clean bill for their clients.
A second driving force is to improve accountability and to provide
efficiencies in handling information security programs in organizations and
thus ultimately improve security. Knowing where the organizations stands
with respect to IT security, helps decision makers to determine the
success – and the return on investment – on security investments as well
as to direct future efforts.

Our research concentrates on addressing the above questions. We describe a
model and method to build a performance measurement framework. We discuss
how different types of security indicators can be determined and we describe
difficulties with others.

As a second aspect of measuring IT security, we describe an approach on how
Security Controls can be integrated in a well established and accepted
Business Quality Framework. The European Foundation of Quality Management
(EFQM) framework is a highly recognized business model that is employed by
many European businesses to achieve Business Excellence. It is a documented
approach that uses a number of metrics to determine the Total Quality
Management (TQM) of an organization by assessing nine different criteria.
Conversely, the US National Institute of Standards and Technology (NIST) has
outlined 17 controls that are categorized into managerial, operational and
technical controls that can deduce the security state of an organization.
While both perspectives are equally important, they cannot comprehensively
capture the success of the business in an isolated manner. Realistically,
an organization that strives to excel and gain the competitive edge over
its competitors while at the same time pleasing shareholders and clients
should encompass some quality standards that are based on a holistic
management concept. This is what the EFQM strives to instill but it is
limited from a security standpoint. Security is a growing concern and must
be addressed as a quality issue in order to comply with legal stipulations,
social and ethical obligations and productivity goals which in turn must
reflect the confidentiality, integrity and availability principles. Hence,
we propose that these two perspectives be merged into a framework that
addresses the security and business excellence ideals and is truly
reflective of the direction that an organization is heading in terms of
profitability and long term sustainability in a very security-conscious
world.

In this presentation we present an overview of where we currently stand with
this research program, and what where we are going to work on in the future.

_____________________________________________________________________________
Die Webseite des HGI-Seminars mit allen Informationen zu vergangenen und
zukünftigen Vorträgen: http://www.hgi.rub.de/deutsch/lehrangebot/seminar.html