Abstract
Organisations invest in technical and procedural capabilities to ensure the confidentiality, integrity and availability of information assets and sustain business continuity at all times. However, given growing productive assets and limited protective security budgets, there is a need for deliberate evaluation of information security investment. Optimal resource allocation to security is often affected by intrinsically uncertain variables and associated factors like technical, economical and psychological; therefore, security expenditure is a crucial resource allocation decision. In spite of that, security managers and business owners are often incentivised by different drivers on whether to allocate optimal resources to cyber-specific security protective assets or other business productive assets. Hence, there is a disparity of opinion in resource allocation decisions. We explored how Monte Carlo predictive simulation model can be used within the context of Information Technology to reduce these disparities. Using a conceptual enterprise as a case study and verifiable historical cost of security breaches as parametric values, our model shows why using conventional risk assessment approach as budgeting process can result in significant over/under allocation of resources for cyber capabilities. Our model can serve as a benchmark for policy and decision support to aid stakeholders in optimising resource allocation for cyber security investments.
Original language | English |
---|---|
Pages (from-to) | 152-167 |
Number of pages | 16 |
Journal | International Journal of Critical Infrastructures |
Volume | 13 |
Issue number | 2-3 |
Early online date | 1 Dec 2017 |
DOIs | |
Publication status | Published - Dec 2017 |
Keywords
- Information Security
- risk assessment
- Resource allocation
- Monte-Carlo simulation
- Security investment decision