Methodologies for Evaluating Information Security Investments - What Basel II Can Change in the Financial Industry

The New Basel Capital Accord (Basel II) will include operational risk to the calculation of necessary regulatory capital in financial institutions after year-end 2006. Most of the banks have already developed sophisticated risk management frameworks helping to quantify and manage operational risk. Information security has direct impact on operational risk, but risk managers consider Information Systems (IS) related risks not enough by now. This problem mainly depends on the variety of methods used by security managers to evaluate systems security and to develop security concepts. Even little efforts would enable information security officers to quantify the benefits of information security investments using operational risk quantification methods. The security community has not yet addressed this opportunity. The article discusses models used for decisions about security investments known from the field of security economics and accounting and illustrates the problems by applying these models. Based on a general operational risk management framework of a bank, this article introduces a new approach using accepted risk management methods.