Security attribute evaluation method a cost-benefit approach

• Published in: Proceedings - International Conference on Software Engineering pp. 232 - 240
• Main Author: Butler, Shawn A.
• Format: Conference Proceeding Journal Article
• Language: English
• Published: New York, NY, USA ACM 01.01.2002
• Series: ACM Conferences
• Subjects: Applied sciences; Computer science; control theory; systems; Exact sciences and technology; Security and privacy; Social and professional topics > Computing > technology policy > Computer crime; Social and professional topics > Professional topics > Management of computing and information systems > Implementation management > Pricing and resource allocation; Social and professional topics > Professional topics > Management of computing and information systems > Project and people management; Social and professional topics > Professional topics > Management of computing and information systems > Software management; Software; Software engineering; Sensitivity analysis; Software development; Information system; Risk assessment; Safety; Cost benefit analysis; Risk analysis; Software engineering
• ISBN: 158113472X; 9781581134728
• ISSN: 0270-5257
• DOI: 10.1145/581339.581370

Conducting cost-benefit analyses of architectural attributes such as security has always been difficult, because the benefits are difficult to assess. Specialists usually make security decisions, but program managers are left wondering whether their investment in security is well spent. This paper summarizes the results of using a cost-benefit analysis method called SAEM to compare alternative security designs in a financial and accounting information system. The case study presented in this paper starts with a multi-attribute risk assessment that results in a prioritized list of risks. Security specialists estimate countermeasure benefits and how the organization's risks are reduced. Using SAEM, security design alternatives are compared with the organization's current selection of security technologies to see if a more cost-effective solution is possible. The goal of using SAEM is to help information-system stakeholders decide whether their security investment is consistent with the expected risks.