A cost model for managing information security hazards

摘要

We present a model for the estimation of costs of risks and losses due to accidental or deliberate disclosure, transfer, delay, modification, or destruction of information. The model is characterized by (1) strong emphasis on consequence analysis, (2) high-level classification of risk objects, loss-provoking events, losses, loss costs and data items, and (3) typing data values according to their degree of vagueness. It has a sound theoretical background and is designed for practical use in the telecommunications industry. In order to provide a firm basis for risk analysis and loss accounting we use an object-oriented approach to security called the PPIFEB approach. We compare this approach with some other approaches: (1) the organization-oriented approach found in most standard references; (2) the event/threat-oriented approach WAECUP of Bottom and Kostanoski [Introduction to Security and Loss Control, Prentice- Hall, New York, 1990]; and (3) the process-oriented approach of Post et al. [Security Administration: An Introduction to the Protective Services, 4th Edition, Butterworth-Heinemann, 1994] based on generic security functions. We claim that the PPIFEB approach is the most appropriate for risk analysis and loss accounting.