Optimum Spending on Cybersecurity Measures: Part II

信息安全(英文) Pub Date : 2021-01-21 DOI:10.4236/JIS.2021.121007

Sherita Tara Kissoon

{"title":"Optimum Spending on Cybersecurity Measures: Part II","authors":"Sherita Tara Kissoon","doi":"10.4236/JIS.2021.121007","DOIUrl":null,"url":null,"abstract":"The purpose of this research is to \ninvestigate the decision-making process for cybersecurity investments in \norganizations through development and utilization of a digital cybersecurity \nrisk management framework. The initial article, Optimum Spending on \nCybersecurity Measures is published on Emerald Insight at: https://www.emerald.com/insight/1750-6166.htm, contains the detailed literature review, and the data results from \nPhase I and Phase II of this research REF _Ref61862658 \\r \\h \\* MERGEFORMAT [1]. This article will \nhighlight the research completed in the area of organizational decision-making \non cybersecurity spend. In leveraging the review of additional studies, this \nresearch utilizes a regression framework and case study methodology to \ndemonstrate that effective risk-based decisions are necessary when implementing \ncybersecurity controls. Through regression analysis, the effectiveness of \ncurrent implemented cybersecurity measures in organizations is explored when connecting a dependent variable with several independent \nvariables. The focus of this article is on the strategic decisions made by \norganizations when implementing cybersecurity measures. This research belongs \nto the area of risk management, and various models within the field of 1) \ninformation security; 2) strategic management; and 3) organizational decision-making to determine optimum spending on \ncybersecurity measures for risk taking organizations. This research resulted in \nthe development of a cyber risk investment model and a digital cybersecurity risk management framework. Using a case study methodology, \nthis model and framework were leveraged to evaluate \nand implement cybersecurity measures. The case study methodology provides an \nin-depth view of a risk-taking organization’s risk mitigation strategy within \nthe bounds of the educational environment focusing on five areas identified \nwithin a digital cyber risk model: 1) technology landscape and application \nportfolio; 2) data centric focus; 3) risk management \npractices; 4) cost-benefit analysis for cybersecurity measures; and 5) strategic development. The outcome of this research provides \ngreater insight into how an organization makes decisions when implementing \ncybersecurity controls. This research shows that most organizations are \ndiligently implementing security measures to effectively monitor and detect \ncyber security attacks, specifically showing \nthat risk taking organizations implemented cybersecurity measures to meet \ncompliance and audit obligations with an annual spend of $3.18 million. It also \nindicated that 23.6% of risk-taking organizations incurred more than 6 \ncybersecurity breaches with an average dollar loss of $3.5 million. In \naddition, the impact of a cybersecurity breach on risk taking organizations is \nas follows: 1) data loss; 2) brand/reputational \nimpact; 3) financial loss fines; 4) increase oversight \nby regulators/internal audit; and 5) \ncustomer/client impact. The implication this research has on practice is \nextensive, as it focuses on a broad range of areas to include risk, funding and \ntype and impact of cyber security breaches encountered. The survey study \nclearly demonstrated the need to develop and utilize a digital cybersecurity \nrisk management framework to integrate current industry frameworks within the \nrisk management practice to include continuous compliance management. This type \nof framework would provide a balanced approach to managing the gap between a \nrisk-taking organization and a risk averse organization when implementing \ncybersecurity measures.","PeriodicalId":57259,"journal":{"name":"信息安全(英文)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2021-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"信息安全(英文)","FirstCategoryId":"1093","ListUrlMain":"https://doi.org/10.4236/JIS.2021.121007","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

The purpose of this research is to investigate the decision-making process for cybersecurity investments in organizations through development and utilization of a digital cybersecurity risk management framework. The initial article, Optimum Spending on Cybersecurity Measures is published on Emerald Insight at: https://www.emerald.com/insight/1750-6166.htm, contains the detailed literature review, and the data results from Phase I and Phase II of this research REF _Ref61862658 \r \h \* MERGEFORMAT [1]. This article will highlight the research completed in the area of organizational decision-making on cybersecurity spend. In leveraging the review of additional studies, this research utilizes a regression framework and case study methodology to demonstrate that effective risk-based decisions are necessary when implementing cybersecurity controls. Through regression analysis, the effectiveness of current implemented cybersecurity measures in organizations is explored when connecting a dependent variable with several independent variables. The focus of this article is on the strategic decisions made by organizations when implementing cybersecurity measures. This research belongs to the area of risk management, and various models within the field of 1) information security; 2) strategic management; and 3) organizational decision-making to determine optimum spending on cybersecurity measures for risk taking organizations. This research resulted in the development of a cyber risk investment model and a digital cybersecurity risk management framework. Using a case study methodology, this model and framework were leveraged to evaluate and implement cybersecurity measures. The case study methodology provides an in-depth view of a risk-taking organization’s risk mitigation strategy within the bounds of the educational environment focusing on five areas identified within a digital cyber risk model: 1) technology landscape and application portfolio; 2) data centric focus; 3) risk management practices; 4) cost-benefit analysis for cybersecurity measures; and 5) strategic development. The outcome of this research provides greater insight into how an organization makes decisions when implementing cybersecurity controls. This research shows that most organizations are diligently implementing security measures to effectively monitor and detect cyber security attacks, specifically showing that risk taking organizations implemented cybersecurity measures to meet compliance and audit obligations with an annual spend of $3.18 million. It also indicated that 23.6% of risk-taking organizations incurred more than 6 cybersecurity breaches with an average dollar loss of $3.5 million. In addition, the impact of a cybersecurity breach on risk taking organizations is as follows: 1) data loss; 2) brand/reputational impact; 3) financial loss fines; 4) increase oversight by regulators/internal audit; and 5) customer/client impact. The implication this research has on practice is extensive, as it focuses on a broad range of areas to include risk, funding and type and impact of cyber security breaches encountered. The survey study clearly demonstrated the need to develop and utilize a digital cybersecurity risk management framework to integrate current industry frameworks within the risk management practice to include continuous compliance management. This type of framework would provide a balanced approach to managing the gap between a risk-taking organization and a risk averse organization when implementing cybersecurity measures.

查看原文本刊更多论文

网络安全措施的最佳支出：第二部分

本研究的目的是通过开发和利用数字网络安全风险管理框架，调查组织网络安全投资的决策过程。第一篇文章《网络安全措施的最佳支出》发表在Emerald Insight上，网址：https://www.emerald.com/insight/1750-6166.htm，包含详细的文献综述，以及本研究第一阶段和第二阶段的数据结果REF _Ref61862658\h\*MERGEFORMAT[1]。本文将重点介绍在网络安全支出的组织决策领域完成的研究。在利用对其他研究的审查时，本研究利用回归框架和案例研究方法来证明在实施网络安全控制时，有效的基于风险的决策是必要的。通过回归分析，当将一个因变量与几个自变量联系起来时，探讨了当前组织中实施的网络安全措施的有效性。本文的重点是组织在实施网络安全措施时做出的战略决策。本研究属于风险管理领域，并在以下领域建立了各种模型：1）信息安全；2）战略管理；以及3）组织决策，以确定承担风险的组织在网络安全措施上的最佳支出。这项研究开发了网络风险投资模型和数字网络安全风险管理框架。使用案例研究方法，利用该模型和框架来评估和实施网络安全措施。案例研究方法深入了解了冒险组织在教育环境范围内的风险缓解策略，重点关注数字网络风险模型中确定的五个领域：1）技术前景和应用组合；2）以数据为中心；3）风险管理实践；4）网络安全措施的成本效益分析；五是战略发展。这项研究的结果为组织在实施网络安全控制时如何做出决策提供了更深入的见解。这项研究表明，大多数组织都在努力实施安全措施，以有效监控和检测网络安全攻击，特别是表明承担风险的组织实施了网络安全措施，履行合规和审计义务，每年支出318万美元。报告还指出，23.6%的风险承担组织发生了6次以上的网络安全漏洞，平均损失350万美元。此外，网络安全漏洞对风险承担组织的影响如下：1）数据丢失；2）品牌/声誉影响；3）经济损失罚款；4）加强监管机构/内部审计的监督；以及5）客户/客户影响。这项研究对实践的影响是广泛的，因为它关注的领域很广，包括风险、资金以及遇到的网络安全漏洞的类型和影响。调查研究清楚地表明，有必要开发和利用数字网络安全风险管理框架，将当前的行业框架整合到风险管理实践中，以包括持续的合规管理。在实施网络安全措施时，这种类型的框架将提供一种平衡的方法来管理冒险组织和规避风险组织之间的差距。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

信息安全(英文)

自引率

0.00%

发文量

211

文献相关原料

公司名称	产品信息	采购帮参考价格