Information Technology Reference
In-Depth Information
n
Revenue increase may come from a managed security service (MSS) where
the security organization offers subscriptions to other organizations. A safe
and thus highly available solution may generate additional sales to customers
with high service level expectations.
Safeguarding a retail E-commerce system protects and sustains the revenue
stream generated by that system.
As E-risk insurance becomes more prevalent, appropriate IA safeguards may
reduce insurance premiums (cost reduction); likewise, the appropriate safe-
guard technology may reduce labor costs (e.g., personnel manually isolating
and treating malware).
Cost avoidance comes in the form of legislative compliance and avoiding the
fines associated with noncompliance.
n
n
n
4.3.2.2 Development (Quality Measurement)
The software development industry has a long history of bugs, tracking bugs, and
adding design and development features to find and fix bugs as early in the develop-
ment cycle as possible, the premise being that it is cheaper to fix a bug earlier than
later. This process is software quality assurance (SQA). Treating security flaws as
one form of software bug uses SQA techniques as an IA tool in the development
process. All the quantified benefits of SQA also apply to IA.
4.3.2.3 Operational (Functional Parameter Measurement)
Operational quantification may consist of risk management and attack modeling;
these are models that may provide insight into what-if scenarios that will illuminate
the results of implementing or not implementing IA safeguards, or maintaining,
lowering, or raising certain levels of security.
4.3.2.4
Risk Management (Standard Risk
Assessment Quantification)
The risk assessment quantification includes the standard asset value, exposure factor
(EF), annualized rate of occurrence (ARO), single loss expectancy (SLE), annual
loss expectancy (ALE), etc. here are many topics dedicated to risk assessments. An
effective risk assessment approach remains a challenge for the IA industry.
4.3.2.5 Attack Modeling
A system supports the fulfillment of a business function. Vulnerabilities reside
within systems. A threat exploiting a vulnerability will have an effect on that sys-
