Economic aspects and needs in IT-security risk management for SMEs

Business success depends increasingly on reliable ITInfrastructure. IT-Security risk management aims at an optimal allocation of security resources regarding an “affordable” IT-Security level. In comparison to large corporations small and medium-sized enterprises (SMEs) typically have few resources and little expertise in IT-Security risk management. Therefore, they need SME-focused framework processes and methods for strategic planning and operational tool support. Long-term goal is to improve the general security level of SME IT– Infrastructure. In this position paper, we argue for a closer tie between economical and technical aspects of IT-Security Risk Management. Based on the RiskIt risk management process we propose empirical investigations to tackle SME-specific data needs for risk analysis and multi-objective optimization for risk-countermeasure resource allocation. 1. Current Interests Markus Klemen is on a Ph.D. track at the Vienna University of Technology, where he focuses on economic issues of IT-Security risk management specifically customized to the requirements of small and medium-sized enterprises which may be addressed by means of multi-objective decision support methods (see also [20]). Other areas of his interest include Honeynet projects, IPv6 security aspects and information security procedures. Stefan Biffl is an associate professor of software engineering at the Vienna University of Technology. His research interests include Empirical Software Engineering, economic models for software engineering processes, project management, quality management, software inspection, reading techniques for software inspection. 2. Past Work During our cooperation with SMEs over the past years, we found a profound need for solid, scientific support for SME-specific IT-Security. We began to address this field, first in a diploma thesis (IT-Security in SMEs). Based on early work of Raiffa and Schlaifer dating back to 1961 [1] with considerable refinement by Howard in 1966 [2] we adapt the RiskIt process for systematic risk management to IT-Security requirements [3][4][5]. For economic evaluation of decision options we have used classic approaches towards the financial quantification of IT-related risks like ALE (Annual Loss Expectancy) [6] enhanced in Kevin SooHoo’s Ph.D. thesis [7]. As IT-Security countermeasure planning is often a multi-objective problem, we came across the concept of Quadtrees developed by Habenicht [8] and Sun and Steuer [9]. For further research we want to build on an application of the theory of multi-objective decision support to IT-Security by Stummer and Strauss [11].