SQUARE Project: Cost/Benefit Analysis Framework for Information ...

More documents

Recommendations

Info

This work is sponsored by the U.S. Department of Defense. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense. Copyright 2004 Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent. This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html).
Contents Abstract .............................................................................................................vii 1 Introduction..................................................................................................1 1.1 The Problem .........................................................................................1 1.2 A Framework for Cost/Benefit Analysis..................................................1 1.3 The Acme Company..............................................................................2 1.3.1 System Overview.......................................................................2 1.3.2 Business Goals..........................................................................2 1.3.3 Security Objectives....................................................................2 2 Cost/Benefit Analysis Framework...............................................................4 2.1 Terms and Concepts .............................................................................4 2.2 Methodology .........................................................................................4 2.3 Stakeholder Involvement .....................................................................10 2.4 Evaluation Criteria...............................................................................10 2.5 Maximizing System Value Within Real-Life Budget Constraints...........12 3 Cost/Benefit Analysis Framework in Practice..........................................15 3.1 Misuse Cases .....................................................................................15 3.2 Categories of Threats..........................................................................16 3.3 Risk Exposures ...................................................................................17 3.4 Architectural Recommendations..........................................................17 3.5 Policy Recommendations....................................................................17 3.6 Total System Value Versus Total Implementation Costs.......................18 3.7 Benefit/Cost Ratio Versus Total Implementation Costs ........................19 3.8 Total Implementation Costs Versus Risk Exposures ............................20 3.9 Values Versus Risk Exposures............................................................21 4 Lessons Learned........................................................................................23 4.1 Misuse Cases .....................................................................................23 4.2 Estimation of Losses ...........................................................................23 4.3 Estimation of Costs .............................................................................23 4.4 Cost Structures of Security Improvement Projects...............................24 CMU/SEI-2004-TN-045 i
Page 1: SQUARE Project: Cost/Benefit Analys
Page 5 and 6: List of Figures Figure 1: Categoriz
Page 7 and 8: List of Tables Table 1: Terms and C
Page 9 and 10: Abstract Many companies rely on his
Page 11 and 12: 1 Introduction The purpose of a cos
Page 13 and 14: Integrity: The system performs its
Page 15 and 16: will not explain in depth how to ge
Page 17 and 18: Using the aforementioned probabilit
Page 19 and 20: Total Benefits = = N ∑ i= 1 N ∑
Page 21 and 22: Category of Preventions ( P ) i Bas
Page 23 and 24: Back to the problem, there are N po
Page 25 and 26: 3 Cost/Benefit Analysis Framework i
Page 27 and 28: 3.3 Risk Exposures The cost/benefit
Page 29 and 30: Total System Value vs. Total Implem
Page 31 and 32: The variance around the trend line
Page 33 and 34: 4 Lessons Learned 4.1 Misuse Cases
Page 35 and 36: 5 Conclusions The objective of the
Page 37 and 38: References URLs are valid as of the
Page 39 and 40: REPORT DOCUMENTATION PAGE Form Appr

SQUARE Project: Cost/Benefit Analysis Framework for Information ...

Create successful ePaper yourself

Delete template?

Save as template?