IA Econ of Cyber Security

Card Set Information

IA Econ of Cyber Security
2011-12-11 15:47:28
IA Econ Cyber Security

IA Final
Show Answers:

  1. regulatory requirements, historical vulnerabilities, client requests, audits, media attention, comprised internal securityy
    why invest in security
  2. Business Case Includes (7)
    • Description of problem
    • list of solutions
    • constraints on solving
    • list of underlying assumptions
    • analysis of each alternative
    • summary of proposed investment
  3. in a business case the analysis of each alternative includes
    risks, costs, and benefits
  4. Balanced Scorecard Approach includes
    customer view, operational view, financial view, improvement view
  5. Balanced scorecard approach - customer needs and satisfaction
    customer view
  6. Balanced scorecard approach - core competencies
    operational view
  7. Balanced scorecard approach - ROI, share price
    Financial view
  8. Balanced scorecard approach - market leadership, added value
    improvment view
  9. NPV, IRR, ROI test
    economic value
  10. The rate that yields a NPV of o
    Internal Rate of Return
  11. Profit/cost of investments to generate those provits - historical view
    Return on Investment
  12. Cost of security should be a small fraction of the possible
  13. In Quantifying Security you must know (3)
    • Assets needing protection
    • Vulnerabilities in a system
    • Threats to a system
  14. How do industry sectors affect the economy, How does cyber security affect the economy, How does this vary internationally
    National and Global Data
  15. How do various enterprises manage their cyber security - hard data to get in detail
    enterprise data
  16. Threats against core infrastructure technologies
    technological data
  17. Must have for decision making(4)
    • Accuracy
    • Consistency
    • Timeliness
    • Reliability
  18. when you are getting data for decision making this is very difficult to have with IT security
  19. when getting data for decision making asking what is an intrusion? Is a DDOS setup 5,000 intrusions or one?
  20. when getting data for decision making this is asking
    Do companies report all intrusions
  21. focus on midrance vulnerabilities - pay no more than 37-50% of an expected loss to protect against the loss
    how much to invest in security
  22. pay no more than ___ of an expected loss to protect against the loss
  23. look at economic effects - look at stock prices
    impact of an it breach
  24. process folds follow - what everyone else does
    best practices
  25. they test and evaluate extensively
    results organizational culture
  26. these folks look to job satisfaction and job motivation
    employee organizational culture
  27. folks focus on completed milestones- paid per line of code
    job organizational culture
  28. rewards for internal goals
    parochial organizational culture
  29. for certification goals
    professional organizational culture
  30. welcome new talent from the outside and training - this is the general rule for universities
    open organizations
  31. hire from within, preserving the status quo
    closed organzations
  32. ad hoc self forming teams, not much reporting
    loose organizational structure
  33. managers make teams, regidly track them
    tight organizational structure
  34. focus is on best practices, life-cycle methodologies - ERP - adjusts to business
    normative organizational culture
  35. get it done, typically companies that promote themselves as agile
    pragmatic organizational cultures