EVALUATION OF INFORMATION SECURITY EFFECTIVENESS MEASURES UNDER UNCERTAINTY

Uncertainty of information security system properties is inherent at all stages of its life cycle due to real exposure to random factors of external and internal environment. As a project is implemented, the system uncertainty tends to reduce, but its operation efficiency can never be adequately expressed and described by deterministic parameters. In this case probabilistic methods are most applicable to evaluate efficiency of implementation and operation of information security systems. In accordance with these methods, levels of system safeguards are transformed into confidence levels of corresponding estimates. Under these conditions, data to evaluate effectiveness of information security enhancement measures can be obtained by using simulation modeling. A suggested methodology for information security impact assessment at a company implies modeling of estimates of losses avoided. The value of losses avoided can be calculated on the basis of the likelihood of an information security incident and resulting possible economic losses before and after implementation of information security measures at an object. Total losses avoided resulting from the simulation covering all information security incidents enable to specify and to carry out scenario-based calculations of potential effects of such measures. The final evaluation of information security enhancement measures can be performed by any known method. Globally a standard method of cost-benefit analysis (CBA) is widely used to evaluate effectiveness of IT projects. Implementation of the suggested information security enhancements evaluation methodology has been based on the CBA method. The main advantage of the proposed information security enhancements evaluation methodology is its ability to pay due regard to the real world uncertainty thanks to simulation modeling. This enables to some extent to increase the validity of evaluation estimates.