One of the challenges with ICT security is ‘selling’ the notion of investing in ICT security. One approach is to use a traditional return on investment approach with an emphasis on information security issues. This is referred to as a Return on Security Investment (ROSI) and ROSI calculations can be presented to management to justify security investments.
The ROSI elements discussed during the semester included the following formula components: Single Loss Expectancy (SLE); Annual Rate of Occurrence (ARO); Annual Loss Expectancy (ALE) which is calculated: ALE = ARO * SLE; Modified Annual Loss Expectancy (MALE) (this is the ALE after the implementation of the proposed security controls). The ROSI takes account of the ALE, the MALE and the cost of the proposed controls.
Considering the following scenario involving the help desk staff responsible for providing support to the HRM system from question 1:
The help desk staff reset hundreds of passwords annually for various reasons. On average the help desk staff reset 10 passwords annually without properly verifying the staff member’s identity correctly and provide access to the wrong person. The damages in reputational and privacy breaches is estimated to cost $10,000 per incident. By implementing a verification software package with a licence cost of $5,000 per annum, the loss expectancy would be reduced by 75%.
Calculate the ROSI for this scenario.
Given this scenario, discuss the limitations with using a ROSI calculation in this manner. You should provide 5 issues that highlight limitations with the application of a ROSI used as a primary means to justify this control.
Part (b) (10 marks)
Your information security section within the university (as per Q1) conducts a series of rolling security evaluations of its general IT environment and specific core application systems. You have been allocated the task of conducting the evaluation of the baseline controls in the general IT environment. An activity early in this process is the construction of a suitable normative model for the evaluation.
Using the ISO 27002 information security framework discussed during the semester, identify 5 controls that would be important elements of the normative model. It is quite likely that there will be many more than 5 controls relevant to this baseline security situation, but you should try to select 5 of the more important controls.
You should provide a brief rationale for the selection of the controls for the normative model.
