Affordable Access

Collection of Quantitative Data on Security Incidents

Publication Date
  • 004 Informatik
  • 330 Wirtschaft


Collection of Quantitative Data on Security Incidents Thomas Nowey Department Management of Information Security University of Regensburg Germany [email protected] Hannes Federrath Department Management of Information Security University of Regensburg Germany [email protected] Abstract Quantitative data about security threats is a precondi- tion for a precise assessment of security risks and conse- quently for an efficient management of information security. Currently such data is hardly available, especially for small and medium-sized organizations. In this paper we discuss different ways of gathering quantitative data and present a new approach for the collection of historical data on secu- rity incidents. We propose a platform that collects, aggre- gates and evaluates data on security incidents from multi- ple organizations. We identify basic requirements for such a platform and show approaches for satisfying them. We especially emphasize the aspects of security and fairness. Finally we introduce a prototype that shows how an imple- mentation could look like. 1 Introduction Organizations of all sizes face a growing need to deter- mine security risks and to evaluate costs and benefits of possible security investments. Various factors intensify this trend. First, there is the growing importance of security in general because of the growing number of threats and at- tacks over the past years (see [7]). Second, due to the law of decreasing marginal utility, we know that there must be a utility maximizing bundle of security measures. So secu- rity managers are looking for that optimal bundle to invest in or in other words they seek to answer the question “How much is enough” ([12]). Finally there are compliance re- quirements. A variety of external regulations like Sarbanes- Oxley Act and Basel II stipulate that organizations are able to assess their risks, including security risks. Analyzing costs and benefits of security investments and a

There are no comments yet on this publication. Be the first to share your thoughts.


Seen <100 times

More articles like this

Data collection: a process for healthcare security...

on Healthcare protection manageme... 1982

Web-based data collection: security is only as goo...

on Anesthesia & Analgesia December 2005

Reporting security incidents.

on Journal of AHIMA / American He... March 2005
More articles like this..