E-Book, Englisch, 286 Seiten
Reihe: Progress in IS
Beissel Cybersecurity Investments
1. Auflage 2016
ISBN: 978-3-319-30460-1
Verlag: Springer Nature Switzerland
Format: PDF
Kopierschutz: 1 - PDF Watermark
Decision Support Under Economic Aspects
E-Book, Englisch, 286 Seiten
Reihe: Progress in IS
ISBN: 978-3-319-30460-1
Verlag: Springer Nature Switzerland
Format: PDF
Kopierschutz: 1 - PDF Watermark
This book offers readers essential orientation on cybersecurity safeguards, and first and foremost helps them find the right balance between financial expenditures and risk mitigation. This is achieved by pursuing a multi-disciplinary approach that combines well-founded methods from economics and the computer sciences. Established decision making techniques are embedded into a walk-through for the complete lifecycle of cybersecurity investments. Insights into the economic aspect of the costs and benefits of cybersecurity are supplemented by established and innovative economic indicators. Readers will find practical tools and techniques to support reasonable decision making in cybersecurity investments. Further, they will be equipped to encourage a common understanding using economic aspects, and to provide cost transparency for the senior management.
Stefan Beissel, Ph.D., MBA, CISA, CISSP, PMP, holds a professorship in Information Systems at a university of applied sciences in Germany. He has many years of professional experience in Information Security and IT Audit at internationally operating companies.
Autoren/Hrsg.
Weitere Infos & Material
1;Preface;6
2;Contents;8
3;1 Introduction;11
3.1;1.1 Threat Level in Cyberspace;11
3.2;1.2 New Challenges for Cybersecurity;12
3.3;1.3 Integration of Economic Aspects;15
3.4;1.4 Outlook to the Following Chapters;15
4;2 Foundations of Cybersecurity;17
4.1;2.1 History;17
4.2;2.2 Cybersecurity Principles;19
4.2.1;2.2.1 Basic Cybersecurity Principles;20
4.2.1.1;2.2.1.1 Confidentiality;20
4.2.1.2;2.2.1.2 Integrity;21
4.2.1.3;2.2.1.3 Availability;22
4.2.2;2.2.2 Extended Cybersecurity Principles;23
4.2.2.1;2.2.2.1 Access Control;23
4.2.2.2;2.2.2.2 Regularity;24
4.2.2.3;2.2.2.3 Legal Certainty;25
4.2.2.4;2.2.2.4 Authenticity;26
4.2.2.5;2.2.2.5 Non-contestability;27
4.2.2.6;2.2.2.6 Traceability;28
4.2.2.7;2.2.2.7 Non-repudiation;29
4.2.2.8;2.2.2.8 Accountability;30
4.2.2.9;2.2.2.9 Reliability;30
4.3;2.3 Protection Level;31
4.4;2.4 Protection Scope;31
4.4.1;2.4.1 Network Segmentation;34
4.4.2;2.4.2 Point-to-Point Encryption;35
4.4.3;2.4.3 Tokenization;36
4.4.4;2.4.4 Outsourcing;37
4.5;2.5 Stakeholders of Cybersecurity;39
5;3 Cybersecurity Safeguards;45
5.1;3.1 Distinction of Cybersecurity Safeguards;45
5.2;3.2 Common Cybersecurity Safeguards;47
5.2.1;3.2.1 Policies and Procedures;47
5.2.2;3.2.2 Need to Know;49
5.2.3;3.2.3 Separation of Duties;49
5.2.4;3.2.4 Awareness and Training;50
5.2.5;3.2.5 Background Checks;52
5.2.6;3.2.6 Data Classification;53
5.2.7;3.2.7 Revision Control;53
5.2.8;3.2.8 Outsourcing;55
5.2.9;3.2.9 Incident Management;55
5.2.10;3.2.10 Testing;57
5.2.11;3.2.11 Supervising;59
5.2.12;3.2.12 Job Rotation and Vacation;60
5.2.13;3.2.13 Reporting;61
5.2.14;3.2.14 Business Continuity Management;63
5.2.15;3.2.15 Software Escrow;64
5.2.16;3.2.16 Incident Response;65
5.2.17;3.2.17 Insurances;66
5.2.18;3.2.18 Access Control Systems;67
5.2.19;3.2.19 Application Control;69
5.2.20;3.2.20 Network Security;70
5.2.21;3.2.21 Hardening;72
5.2.22;3.2.22 Secure Software Development;73
5.2.23;3.2.23 Encryption;74
5.2.24;3.2.24 Data Leakage Prevention;76
5.2.25;3.2.25 Technical Resilience;77
5.2.26;3.2.26 Malware Protection;78
5.2.27;3.2.27 Intrusion Detection Systems;80
5.2.28;3.2.28 File Integrity Monitoring;81
5.2.29;3.2.29 Audit Trails;82
5.2.30;3.2.30 Patch Management;84
5.2.31;3.2.31 Disaster Recovery;85
5.2.32;3.2.32 Backups;86
5.2.33;3.2.33 Journaling File System;87
6;4 Economic Aspects;88
6.1;4.1 Financial Indicators;88
6.1.1;4.1.1 Static Indicators;91
6.1.1.1;4.1.1.1 Cost Comparison;91
6.1.1.2;4.1.1.2 Profit Comparison;95
6.1.1.3;4.1.1.3 Return on Investment;96
6.1.1.4;4.1.1.4 Static Payback Period;97
6.1.2;4.1.2 Dynamic Indicators;97
6.1.2.1;4.1.2.1 Net Present Value;99
6.1.2.2;4.1.2.2 Net Future Value;100
6.1.2.3;4.1.2.3 Equivalent Annual Annuity;101
6.1.2.4;4.1.2.4 Internal Rate of Return;101
6.1.2.5;4.1.2.5 Visualization of Financial Implications;103
6.2;4.2 Asset Appraisement;105
6.3;4.3 Risk Evaluation;109
6.3.1;4.3.1 Risk Definition;109
6.3.2;4.3.2 Risk Response;111
6.3.3;4.3.3 Risk Management Frameworks;112
6.3.3.1;4.3.3.1 COBIT;114
6.3.3.2;4.3.3.2 CRAMM;117
6.3.3.3;4.3.3.3 FAIR;119
6.3.3.4;4.3.3.4 FRAAP;122
6.3.3.5;4.3.3.5 OCTAVE;123
6.3.3.6;4.3.3.6 RMF;125
6.3.3.7;4.3.3.7 RMM;127
6.3.3.8;4.3.3.8 TARA;130
6.3.4;4.3.4 Risk Indicators;132
6.3.4.1;4.3.4.1 Quantitative Indicators;133
6.3.4.2;4.3.4.2 Qualitative Indicators;134
6.4;4.4 Cybersecurity Costs;135
6.4.1;4.4.1 Safeguard Costs;139
6.4.2;4.4.2 Breach Costs;144
6.5;4.5 Cybersecurity Benefits;149
7;5 Foundations of Decision Making;151
7.1;5.1 Motives;151
7.2;5.2 Simple Additive Weighting;152
7.3;5.3 Analytic Hierarchy Process;154
7.4;5.4 Decision Difficulties;157
7.4.1;5.4.1 Cost Aspects;157
7.4.2;5.4.2 Time Aspects;158
7.4.3;5.4.3 Quality Aspects;161
7.4.4;5.4.4 Interdependencies;164
8;6 Lifecycle of Cybersecurity Investments;166
8.1;6.1 Overview of Lifecycle Steps;166
8.2;6.2 Initiation;171
8.3;6.3 Sponsoring;175
8.4;6.4 Decision Problem Identification;178
8.4.1;6.4.1 Strategy Determination;180
8.4.2;6.4.2 Scope Determination;191
8.4.3;6.4.3 Asset Value Measurement;199
8.4.4;6.4.4 Risk Analysis;201
8.4.5;6.4.5 Protection Requirements;205
8.4.6;6.4.6 Adequacy of the Decision Making Technique;207
8.4.7;6.4.7 Involvement of Stakeholders;208
8.5;6.5 Attribute Identification;211
8.6;6.6 Attribute Evaluation;219
8.7;6.7 Alternative Identification;224
8.8;6.8 Alternative Evaluation;230
8.8.1;6.8.1 Exclusion Attributes Analysis;232
8.8.2;6.8.2 Comparison Attributes Analysis;234
8.8.3;6.8.3 Sensitivity Analysis;243
8.9;6.9 Selection of the Best Alternative;245
8.10;6.10 Approval;247
8.11;6.11 Planning;253
8.12;6.12 Implementation;258
8.13;6.13 Closing;263
8.14;6.14 Operation;265
8.15;6.15 Maintenance;266
8.16;6.16 Termination;269
9;7 Summary;271
9.1;7.1 Prerequisite Knowledge;271
9.2;7.2 Decision Making Knowledge;276
9.3;7.3 Checklist;279
10;References;281
11;Index;284
