On metrics and prioritization of investments in hardware security

IF 1.6 3区工程技术 Q4 ENGINEERING, INDUSTRIAL

Systems Engineering Pub Date : 2023-03-07 DOI:10.1002/sys.21667

Z. Collier, Brett Briglia, Thomas Finkelston, Mark C. Manasco, David L. Slutzky, J. Lambert

引用次数: 2

Abstract

The security risks posed by electronics are numerous. There are typically a variety of risk‐reducing countermeasures for a given system or across an enterprise. Each countermeasure is associated with both a level of risk reduction and its lifecycle costs. Given budgetary constraints, risk managers and systems engineers must determine what combinations of countermeasures cost‐effectively maximize risk reduction, and what metrics best guide the investment process. In this paper, we seek to answer these questions through exploration of risk reduction metrics from the field of security economics, including the benefit/cost ratio, return on security investment (ROSI), expected benefit of information security (EBIS), and expected net benefit of information security (ENBIS). The results suggest that ratio‐based metrics are not strongly correlated with risk reduction, while EBIS is equivalent to risk reduction and ENBIS is equal to risk reduction minus cost.

查看原文本刊更多论文

关于硬件安全投资的衡量标准和优先级

电子产品带来的安全风险很多。对于给定的系统或整个企业，通常有各种降低风险的对策。每种对策都与风险降低水平及其生命周期成本相关。考虑到预算限制，风险经理和系统工程师必须确定哪些对策组合能够以成本效益最大限度地降低风险，以及哪些指标最能指导投资过程。在本文中，我们试图通过探索安全经济学领域的风险降低指标来回答这些问题，包括收益/成本比、安全投资回报率（ROSI）、信息安全预期收益（EBIS）和信息安全预期净收益（ENBIS）。结果表明，基于比率的指标与风险降低没有很强的相关性，而息税前利润等于风险降低，ENBIS等于风险降低减去成本。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Systems Engineering 工程技术-工程：工业

CiteScore

5.10

自引率

20.00%

发文量

审稿时长

6 months

期刊介绍： Systems Engineering is a discipline whose responsibility it is to create and operate technologically enabled systems that satisfy stakeholder needs throughout their life cycle. Systems engineers reduce ambiguity by clearly defining stakeholder needs and customer requirements, they focus creativity by developing a system’s architecture and design and they manage the system’s complexity over time. Considerations taken into account by systems engineers include, among others, quality, cost and schedule, risk and opportunity under uncertainty, manufacturing and realization, performance and safety during operations, training and support, as well as disposal and recycling at the end of life. The journal welcomes original submissions in the field of Systems Engineering as defined above, but also encourages contributions that take an even broader perspective including the design and operation of systems-of-systems, the application of Systems Engineering to enterprises and complex socio-technical systems, the identification, selection and development of systems engineers as well as the evolution of systems and systems-of-systems over their entire lifecycle. Systems Engineering integrates all the disciplines and specialty groups into a coordinated team effort forming a structured development process that proceeds from concept to realization to operation. Increasingly important topics in Systems Engineering include the role of executable languages and models of systems, the concurrent use of physical and virtual prototyping, as well as the deployment of agile processes. Systems Engineering considers both the business and the technical needs of all stakeholders with the goal of providing a quality product that meets the user needs. Systems Engineering may be applied not only to products and services in the private sector but also to public infrastructures and socio-technical systems whose precise boundaries are often challenging to define.