2009 International Conference on Availability, Reliability and Security
Cost-Benefit Trade-Off Analysis of an ISMS Based on ISO 27001
Fukuoka Institute of Technology, Fukuoka, Japan
March 16-March 19
ISBN: 978-0-7695-3564-7
If companies wish to safeguard their value chain, they should invest with the singular goal of securing revenues by taking adequate risk countermeasures. However, the investment in the risk countermeasure must be reflected in the adequate safeguarding of the value chain. In other words, the investment in the safeguarding, e.g., implementation of an ISMS based on ISO/IEC 27001:2005, must be comparable to the benefit of the value chain. As a direct analysis is difficult, a suitable alternative must be found. In this paper, we propose using Key Performance Indicators (KPI) as a suitable alternative that maintains the effectiveness and economic efficiency of an ISMS. However, the KPI of effectiveness and efficiency are contradictory and constitute a trade-off. In order to minimize turnover reduction, we propose using combinatorial optimization. Such optimization should weigh the benefit of a policy in terms of risk for each control against the cost of each control in terms of avoiding, mitigating or transferring the risk up to some predetermined investment limit.
Index Terms:
ISMS, effectiveness, efficiency, ISO/IEC 27001, knapsack problem
Citation:
Wolfgang Boehmer, "Cost-Benefit Trade-Off Analysis of an ISMS Based on ISO 27001," ares, pp.392-399, 2009 International Conference on Availability, Reliability and Security, 2009
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb