Abstract:
Organisations need practical security benchmarking tools in order to plan effective security strategies. This paper explores techniques that can be used to measure security within an organisation. Article shows that analysis of costs of cybercrime enables to evaluate organisation’s use economic indicators to ensure information security and justify security investments. Technical analysis of implications of security failures is combined with an analysis of economic losses. Described approach is based on the use of the results of quantitative analysis of different security controls. The selection of security controls derive from their efficiency and the related cost. For the efficiency assessment of the controls and further selection one of most adequate economic metrics is considered - return on investment. Return on security investment is used as an example for estimating economic impact of security measures. The result of the calculation of the ROSI indicator demonstrates whether the anticipated or provided quantitative benefits exceed the costs of implementing security measures.