Abstract
Contemporary approaches to the estimation of cybersecurity costs in organisations tend to focus on the cost of incidents or technological investments. However, there are other, less transparent costs related to cybersecurity management that need to be properly recognised in order to get a complete picture. These costs are associated with everyday activities and the time spent by employees on cybersecurity-related actions. Such costs constitute a substantial component of cybersecurity expenditures, but because they become evident only during scrupulous analyses, often they are neglected. This paper presents new developments on CAsPeA – a method which enables estimating the cost of these activities based on a model derived from the Activity-Based Costing (ABC) and the NIST SP 800-53 guidelines. The application of the method is illustrated by a case study of a civil engineering enterprise. The method’s evaluation based on comparative analysis in respect to SQUARE is described.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The study covered 355 organisations worldwide from various economic sectors.
- 2.
Available at http://www.wynagrodzenia.pl/. Last access: 10.10.2020.
- 3.
Source: www.exchangerates.org.uk/USD-EUR-exchange-rate-history.html. Last access: 10.10.2020.
- 4.
Available at http://www.wynagrodzenia.pl/.
- 5.
The values were converted to US dollars (USD) from Polish Złoty with a rounded average exchange rate equal to 4. Roughly, the rate can be also used to interpret the values in Euro.
References
Accenture and Ponemon Institute: The cost of cybercrime: ninth annual cost of cybercrime study. Technical report (2019)
Gordon, L.A., Loeb, M.: Return on information security investments: myths vs. realities. J. Strateg. Financ. 84, 26–32 (2002)
Chapman, T.A., Reithel, B.J.: Perceptions of cybersecurity readiness among workgroup IT managers. J. Comput. Inf. Syst. 1–12 (2020). https://doi.org/10.1080/08874417.2019.1703224
Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI): a practical quantitative model. J. Res. Pract. Inf. Technol. 38, 55–66 (2006)
Leszczyna, R.: Cost of cybersecurity management. Cybersecurity in the Electricity Sector, pp. 127–147. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-19538-0_5
Leszczyna, R.: Approaching secure industrial control systems. IET Inf. Secur. 9(1), 81–89 (2015)
Leszczyna, R.: Cost assessment of computer security activities. Comput. Fraud Secur. 2013(7), 11–16 (2013)
Rafał, L.: Metoda szacowania kosztu zarza̧dzania bezpieczeństwem informacji i przykład jej zastosowania w zakładzie opieki zdrowotnej. Zeszyty Kolegium Analiz Ekonomicznych (2017)
Martin, K.: Controlling der information security. In: Dieter, B.R., Ralf (eds.) Praxiswissen IT-Sicherheit: Praxishandbuch fur Aufbau, Zertifizierung und Betrieb, chapter 03710. TÜV Media, 19 edn. (2011)
Brecht, M., Nowey, T.: A closer look at information security costs. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 3–24. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39498-0_1
Detica and Office of Cyber Security and Information Assurance: The cost of cyber crime. Technical report (2011)
Anderson, R., et al.: Measuring the cost of cybercrime. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 265–300. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39498-0_12
Moore, T., Clayton, R., Anderson, R.: The economics of online crime. J. Econ. Perspect. 23(3), 3–20 (2009)
Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11, 431–448 (2003)
Riek, M., Böhme, R., Ciere, M., Gañán, C., van Eeten, M.: Estimating the costs of consumer-facing cybercrime: a tailored instrument and representative data for six EU countries (2016)
Farahmand, F., Navathe, S.B., Sharp, G.P., Enslow, P.H.: Evaluating damages caused by information systems security incidents. In: Camp, L.J., Lewis, S. (eds.) Economics of Information Security. Advances in Information Security, vol. 12. Springer, Boston (2004). https://doi.org/10.1007/1-4020-8090-5_7
Sawik, T.: Selection of cybersecurity safequards portfolio. Supply Chain Disruption Management. ISORMS, vol. 291, pp. 427–448. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44814-1_15
Daniele, P., Scrimali, L.: Strong nash equilibria for cybersecurity investments with nonlinear budget constraints. In: Daniele, P., Scrimali, L. (eds.) New Trends in Emerging Complex Real Life Problems. ASS, vol. 1, pp. 199–207. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00473-6_22
Nagurney, A., Daniele, P., Shukla, S.: A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints. Ann. Oper. Res. 248, 405–427 (2016). https://doi.org/10.1007/s10479-016-2209-1
Ioannidis, C., Pym, D., Williams, J.: Investments and trade-offs in the economics of information security. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 148–166. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_9
Tatsumi, K., Goto, M.: Optimal timing of information security investment: a real options approach. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy, pp. 211–228. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_11
Böhme, R., Félegyházi, M.: Optimal information security investment with penetration testing. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 21–37. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17197-0_2
Bandyopadhyay, T., Mookerjee, V.: A model to analyze the challenge of using cyber insurance. Inf. Syst. Front. 21(2), 301–325 (2017). https://doi.org/10.1007/s10796-017-9737-3
Bartolini, D.N., Benavente-Peces, C., Ahrens, A.: Using risk assessments to assess insurability in the context of cyber insurance. In: Obaidat, M.S., Cabello, E. (eds.) ICETE 2017. CCIS, vol. 990, pp. 337–345. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-11039-0_16
Pal, R., Golubchik, L.: On the economics of information security. ACM SIGMETRICS Perform. Eval. Rev. 38(2), 51 (2010)
Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy. CCIS, pp. 229–247. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_12
Havakhor, T., Rahman, M., Zhang, T.: Cybersecurity investments and the cost of capital. SSRN Electron. J. (2020). https://doi.org/10.2139/ssrn.3553470
Rodrigues, B., Franco, M., Parangi, G., Stiller, B.: SEConomy: a framework for the economic assessment of cybersecurity. In: Djemame, K., Altmann, J., Bañares, J.Á., Agmon Ben-Yehuda, O., Naldi, M. (eds.) GECON 2019. LNCS, vol. 11819, pp. 154–166. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36027-6_13
Chessa, M., Loiseau, P.: A cooperative game-theoretic approach to quantify the value of personal data in networks (2016)
Robinson, N., Potoglou, D., Kim, C., Burge, P., Warnes, R.: Security at what cost? In: Moore, T., Shenoi, S. (eds.) ICCIP 2010. IAICT, vol. 342, pp. 3–15. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16806-2_1
Ponemon Institue and IBM: Data breach risk calculator. Website (2016)
The Economist Intelligence Unit: CyberTab: free tool estimates damages from attacks (2014)
Websense: TCO calculator: websense hosted email security calculator. Website (2016)
Symantec: Small business risk calculator. Website (2016)
Su, X.: An overview of economic approaches to information security management. Technical report, University of Twente (2006)
Rezmierski, V., Deering, S., Fazio, A., Ziobro, S.: Incident cost analysis and modeling project. Final Report. Technical report, Committee on Institutional Cooperation Chief Information Officers Committee (1998)
Rezmierski, V., Carroll, A., Hine, J.: Incident cost analysis and modeling project II. Final Report. Technical report, Committee on Institutional Cooperation Chief Information Officers Committee (2000)
Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering - ICSE 2002, p. 232. ACM Press, New York (2002)
Xie, N., Mead, N.R.: SQUARE project: cost/benefit analysis framework for information security improvement projects in small companies. Technical report, Carnegie Mellon University (2004)
Anderson, R., Moore, T.: Information security economics – and beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_5
Mercuri, R.T.: Analyzing security costs. Commun. ACM 46(6), 15–18 (2003)
Radziwill, N.M., Benton, M.C.: Cybersecurity cost of quality: managing the costs of cybersecurity risk management. Softw. Qual. Prof. 19(3), 25–43 (2017)
Heitzenrater, C.D., Simpson, A.: Policy, statistics and questions: reflections on UK cyber security disclosures. J. Cybersecur. 2, 43–56 (2016)
Akbari Roumani, M., Fung, C., Rai, S., Xie, H.: Value analysis of cyber security based on attack types. ITMSOC: Trans. Innov. Bus. Eng. 1, 34–39 (2016)
Mallios, Y., Bauer, L., Kaynar, D., Martinelli, F., Morisset, C.: Probabilistic cost enforcement of security policies. J. Comput. Secur. 23, 759–787 (2015)
Yang, Y., Jing, D., Wang, Q.: Shaping the effort of developing secure software. Procedia Comput. Sci. 44, 609–618 (2015)
Zineddine, M.: Vulnerabilities and mitigation techniques toning in the cloud: a cost and vulnerabilities coverage optimization approach using Cuckoo search algorithm with Lévy flights. Comput. Secur. 48, 1–18 (2015)
National Institute of Standards and Technology (NIST): NIST SP 800–53 Rev. 4 Recommended Security Controls for Federal Information Systems and Organizations. U.S. Government Printing Office (2013)
Dittrich, D.A.: Developing an effective incident cost analysis mechanism. Internet (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Leszczyna, R., Litwin, A. (2020). Estimating the Cost of Cybersecurity Activities with CAsPeA: A Case Study and Comparative Analysis. In: Kanhere, S., Patil, V.T., Sural, S., Gaur, M.S. (eds) Information Systems Security. ICISS 2020. Lecture Notes in Computer Science(), vol 12553. Springer, Cham. https://doi.org/10.1007/978-3-030-65610-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-65610-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65609-6
Online ISBN: 978-3-030-65610-2
eBook Packages: Computer ScienceComputer Science (R0)