Abstract :
If companies wish to safeguard their value chain, they should invest with the singular goal of securing revenues by taking adequate risk countermeasures. However, the investment in the risk countermeasure must be reflected in the adequate safeguarding of the value chain. In other words, the investment in the safeguarding, e.g., implementation of an ISMS based on ISO/IEC 27001:2005, must be comparable to the benefit of the value chain. As a direct analysis is difficult, a suitable alternative must be found. In this paper, we propose using Key Performance Indicators (KPI) as a suitable alternative that maintains the effectiveness and economic efficiency of an ISMS. However, the KPI of effectiveness and efficiency are contradictory and constitute a trade-off. In order to minimize turnover reduction, we propose using combinatorial optimization. Such optimization should weigh the benefit of a policy in terms of risk for each control against the cost of each control in terms of avoiding, mitigating or transferring the risk up to some predetermined investment limit.
Keywords :
IEC standards; ISO standards; cost-benefit analysis; economic indicators; investment; risk management; security of data; ISMS; ISO 27001; ISO/IEC 27001:2005; Key Performance Indicators; combinatorial optimization; cost-benefit trade-off analysis; economic efficiency; information security management system; investment limit; risk countermeasures; value chain; Availability; Companies; IEC standards; ISO standards; Information management; Information security; Investments; NIST; Risk management; Telephony; ISMS; ISO/IEC 27001; effectiveness; efficiency; knapsack problem;
