Evaluating Damages Caused by Information Systems Security Incidents

As organizations adopt increasingly sophisticated information systems, the challenge of protecting those systems becomes enormous. Accordingly, the single critical decision security managers have to make is the amount an organization is willing to spend on security measures to protect assets of the organization. To arrive at this decision, security mangers need to know explicitly about the assets of their organizations, the vulnerability of their information systems to different threats, and their potential damages. Each threat and vulnerability must be related to one or more of the assets requiring protection. This means that prior to assessing damages we need to identify assets. Logical and physical assets can be grouped into five categories: 1) InformationDocumented (paper or electronic) data or intellectual property used to meet the mission of an organization, 2) SoftwareSoftware applications and services that process, store, or transmit information, 3) HardwareInformation technology physical devices considering their replacement costs, 4) PeopleThe people in an organization who posses skills, knowledge, and experience that are difficult to replace and, 5) SystemsInformation systems that process and store information (systems being a combination of information, software, and hardware assets and any host, client, or server being considered a system). Various units of value or metrics for valuation of assets may be used. The common metric is monetary, which is generally used for data that represent money where the threat is direct financial theft or fraud. Some assets are difficult to measure in absolute terms but can be measured in relative ways, for example information. The value of information can be measured as a fraction or percentage of total budget, assets, or worth of a business in relative fashion. Assets may also be ranked by sensitivity or