Skip to main content
SpringerLink
Log in

Estimating the Cost of Cybersecurity Activities with CAsPeA: A Case Study and Comparative Analysis

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12553))

Included in the following conference series:

Abstract

Contemporary approaches to the estimation of cybersecurity costs in organisations tend to focus on the cost of incidents or technological investments. However, there are other, less transparent costs related to cybersecurity management that need to be properly recognised in order to get a complete picture. These costs are associated with everyday activities and the time spent by employees on cybersecurity-related actions. Such costs constitute a substantial component of cybersecurity expenditures, but because they become evident only during scrupulous analyses, often they are neglected. This paper presents new developments on CAsPeA – a method which enables estimating the cost of these activities based on a model derived from the Activity-Based Costing (ABC) and the NIST SP 800-53 guidelines. The application of the method is illustrated by a case study of a civil engineering enterprise. The method’s evaluation based on comparative analysis in respect to SQUARE is described.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The study covered 355 organisations worldwide from various economic sectors.

  2. 2.

    Available at http://www.wynagrodzenia.pl/. Last access: 10.10.2020.

  3. 3.

    Source: www.exchangerates.org.uk/USD-EUR-exchange-rate-history.html. Last access: 10.10.2020.

  4. 4.

    Available at http://www.wynagrodzenia.pl/.

  5. 5.

    The values were converted to US dollars (USD) from Polish Złoty with a rounded average exchange rate equal to 4. Roughly, the rate can be also used to interpret the values in Euro.

References

  1. Accenture and Ponemon Institute: The cost of cybercrime: ninth annual cost of cybercrime study. Technical report (2019)

    Google Scholar 

  2. Gordon, L.A., Loeb, M.: Return on information security investments: myths vs. realities. J. Strateg. Financ. 84, 26–32 (2002)

    Google Scholar 

  3. Chapman, T.A., Reithel, B.J.: Perceptions of cybersecurity readiness among workgroup IT managers. J. Comput. Inf. Syst. 1–12 (2020). https://doi.org/10.1080/08874417.2019.1703224

  4. Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI): a practical quantitative model. J. Res. Pract. Inf. Technol. 38, 55–66 (2006)

    Google Scholar 

  5. Leszczyna, R.: Cost of cybersecurity management. Cybersecurity in the Electricity Sector, pp. 127–147. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-19538-0_5

    Chapter  Google Scholar 

  6. Leszczyna, R.: Approaching secure industrial control systems. IET Inf. Secur. 9(1), 81–89 (2015)

    Article  Google Scholar 

  7. Leszczyna, R.: Cost assessment of computer security activities. Comput. Fraud Secur. 2013(7), 11–16 (2013)

    Article  Google Scholar 

  8. Rafał, L.: Metoda szacowania kosztu zarza̧dzania bezpieczeństwem informacji i przykład jej zastosowania w zakładzie opieki zdrowotnej. Zeszyty Kolegium Analiz Ekonomicznych (2017)

    Google Scholar 

  9. Martin, K.: Controlling der information security. In: Dieter, B.R., Ralf (eds.) Praxiswissen IT-Sicherheit: Praxishandbuch fur Aufbau, Zertifizierung und Betrieb, chapter 03710. TÜV Media, 19 edn. (2011)

    Google Scholar 

  10. Brecht, M., Nowey, T.: A closer look at information security costs. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 3–24. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39498-0_1

    Chapter  Google Scholar 

  11. Detica and Office of Cyber Security and Information Assurance: The cost of cyber crime. Technical report (2011)

    Google Scholar 

  12. Anderson, R., et al.: Measuring the cost of cybercrime. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 265–300. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39498-0_12

    Chapter  Google Scholar 

  13. Moore, T., Clayton, R., Anderson, R.: The economics of online crime. J. Econ. Perspect. 23(3), 3–20 (2009)

    Article  Google Scholar 

  14. Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11, 431–448 (2003)

    Article  Google Scholar 

  15. Riek, M., Böhme, R., Ciere, M., Gañán, C., van Eeten, M.: Estimating the costs of consumer-facing cybercrime: a tailored instrument and representative data for six EU countries (2016)

    Google Scholar 

  16. Farahmand, F., Navathe, S.B., Sharp, G.P., Enslow, P.H.: Evaluating damages caused by information systems security incidents. In: Camp, L.J., Lewis, S. (eds.) Economics of Information Security. Advances in Information Security, vol. 12. Springer, Boston (2004). https://doi.org/10.1007/1-4020-8090-5_7

  17. Sawik, T.: Selection of cybersecurity safequards portfolio. Supply Chain Disruption Management. ISORMS, vol. 291, pp. 427–448. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44814-1_15

    Chapter  Google Scholar 

  18. Daniele, P., Scrimali, L.: Strong nash equilibria for cybersecurity investments with nonlinear budget constraints. In: Daniele, P., Scrimali, L. (eds.) New Trends in Emerging Complex Real Life Problems. ASS, vol. 1, pp. 199–207. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00473-6_22

    Chapter  Google Scholar 

  19. Nagurney, A., Daniele, P., Shukla, S.: A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints. Ann. Oper. Res. 248, 405–427 (2016). https://doi.org/10.1007/s10479-016-2209-1

    Article  MathSciNet  MATH  Google Scholar 

  20. Ioannidis, C., Pym, D., Williams, J.: Investments and trade-offs in the economics of information security. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 148–166. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_9

    Chapter  Google Scholar 

  21. Tatsumi, K., Goto, M.: Optimal timing of information security investment: a real options approach. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy, pp. 211–228. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_11

    Chapter  Google Scholar 

  22. Böhme, R., Félegyházi, M.: Optimal information security investment with penetration testing. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 21–37. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17197-0_2

    Chapter  MATH  Google Scholar 

  23. Bandyopadhyay, T., Mookerjee, V.: A model to analyze the challenge of using cyber insurance. Inf. Syst. Front. 21(2), 301–325 (2017). https://doi.org/10.1007/s10796-017-9737-3

    Article  Google Scholar 

  24. Bartolini, D.N., Benavente-Peces, C., Ahrens, A.: Using risk assessments to assess insurability in the context of cyber insurance. In: Obaidat, M.S., Cabello, E. (eds.) ICETE 2017. CCIS, vol. 990, pp. 337–345. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-11039-0_16

    Chapter  Google Scholar 

  25. Pal, R., Golubchik, L.: On the economics of information security. ACM SIGMETRICS Perform. Eval. Rev. 38(2), 51 (2010)

    Article  Google Scholar 

  26. Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy. CCIS, pp. 229–247. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_12

    Chapter  Google Scholar 

  27. Havakhor, T., Rahman, M., Zhang, T.: Cybersecurity investments and the cost of capital. SSRN Electron. J. (2020). https://doi.org/10.2139/ssrn.3553470

  28. Rodrigues, B., Franco, M., Parangi, G., Stiller, B.: SEConomy: a framework for the economic assessment of cybersecurity. In: Djemame, K., Altmann, J., Bañares, J.Á., Agmon Ben-Yehuda, O., Naldi, M. (eds.) GECON 2019. LNCS, vol. 11819, pp. 154–166. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36027-6_13

    Chapter  Google Scholar 

  29. Chessa, M., Loiseau, P.: A cooperative game-theoretic approach to quantify the value of personal data in networks (2016)

    Google Scholar 

  30. Robinson, N., Potoglou, D., Kim, C., Burge, P., Warnes, R.: Security at what cost? In: Moore, T., Shenoi, S. (eds.) ICCIP 2010. IAICT, vol. 342, pp. 3–15. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16806-2_1

    Chapter  Google Scholar 

  31. Ponemon Institue and IBM: Data breach risk calculator. Website (2016)

    Google Scholar 

  32. The Economist Intelligence Unit: CyberTab: free tool estimates damages from attacks (2014)

    Google Scholar 

  33. Websense: TCO calculator: websense hosted email security calculator. Website (2016)

    Google Scholar 

  34. Symantec: Small business risk calculator. Website (2016)

    Google Scholar 

  35. Su, X.: An overview of economic approaches to information security management. Technical report, University of Twente (2006)

    Google Scholar 

  36. Rezmierski, V., Deering, S., Fazio, A., Ziobro, S.: Incident cost analysis and modeling project. Final Report. Technical report, Committee on Institutional Cooperation Chief Information Officers Committee (1998)

    Google Scholar 

  37. Rezmierski, V., Carroll, A., Hine, J.: Incident cost analysis and modeling project II. Final Report. Technical report, Committee on Institutional Cooperation Chief Information Officers Committee (2000)

    Google Scholar 

  38. Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering - ICSE 2002, p. 232. ACM Press, New York (2002)

    Google Scholar 

  39. Xie, N., Mead, N.R.: SQUARE project: cost/benefit analysis framework for information security improvement projects in small companies. Technical report, Carnegie Mellon University (2004)

    Google Scholar 

  40. Anderson, R., Moore, T.: Information security economics – and beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_5

    Chapter  Google Scholar 

  41. Mercuri, R.T.: Analyzing security costs. Commun. ACM 46(6), 15–18 (2003)

    Article  Google Scholar 

  42. Radziwill, N.M., Benton, M.C.: Cybersecurity cost of quality: managing the costs of cybersecurity risk management. Softw. Qual. Prof. 19(3), 25–43 (2017)

    Google Scholar 

  43. Heitzenrater, C.D., Simpson, A.: Policy, statistics and questions: reflections on UK cyber security disclosures. J. Cybersecur. 2, 43–56 (2016)

    Article  Google Scholar 

  44. Akbari Roumani, M., Fung, C., Rai, S., Xie, H.: Value analysis of cyber security based on attack types. ITMSOC: Trans. Innov. Bus. Eng. 1, 34–39 (2016)

    Google Scholar 

  45. Mallios, Y., Bauer, L., Kaynar, D., Martinelli, F., Morisset, C.: Probabilistic cost enforcement of security policies. J. Comput. Secur. 23, 759–787 (2015)

    Article  Google Scholar 

  46. Yang, Y., Jing, D., Wang, Q.: Shaping the effort of developing secure software. Procedia Comput. Sci. 44, 609–618 (2015)

    Article  Google Scholar 

  47. Zineddine, M.: Vulnerabilities and mitigation techniques toning in the cloud: a cost and vulnerabilities coverage optimization approach using Cuckoo search algorithm with Lévy flights. Comput. Secur. 48, 1–18 (2015)

    Article  Google Scholar 

  48. National Institute of Standards and Technology (NIST): NIST SP 800–53 Rev. 4 Recommended Security Controls for Federal Information Systems and Organizations. U.S. Government Printing Office (2013)

    Google Scholar 

  49. Dittrich, D.A.: Developing an effective incident cost analysis mechanism. Internet (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Management and Economics, Gdańsk University of Technology, Narutowicza 11/12, 80-233, Gdańsk, Poland

    Rafał Leszczyna

  2. Homerun, Singel 542, 1017 AZ, Amsterdam, The Netherlands

    Adrian Litwin

Authors
  1. Rafał Leszczyna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adrian Litwin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rafał Leszczyna .

Editor information

Editors and Affiliations

  1. UNSW Sydney, Sydney, NSW, Australia

    Salil Kanhere

  2. IIT Bombay, Mumbai, India

    Vishwas T Patil

  3. IIT Kharagpur, Kharagpur, West Bengal, India

    Shamik Sural

  4. IIT Jammu, Jammu, India

    Manoj S Gaur

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Leszczyna, R., Litwin, A. (2020). Estimating the Cost of Cybersecurity Activities with CAsPeA: A Case Study and Comparative Analysis. In: Kanhere, S., Patil, V.T., Sural, S., Gaur, M.S. (eds) Information Systems Security. ICISS 2020. Lecture Notes in Computer Science(), vol 12553. Springer, Cham. https://doi.org/10.1007/978-3-030-65610-2_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65610-2_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65609-6

  • Online ISBN: 978-3-030-65610-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation