**6. The ASThMA (ABBO's Security Theoretical Measurement Algorithm)**

Actually, in a given Information Security System, the implementation view should go deeper in the organizational aspects, creating operational patterns that are always dependable from "functional cost" and "security performance" (Abbo, Sun - May 2009 pp 342 -346).

represented by the ordinate of each point in the realistic curve that is a percentage value. The difference between one hundred and the value of security performance represents both the value of "threat performance" and the "quantitative risk analysis" for any model that

The calculation of functional cost should be something of relatively easily to individuate in a strictly accounting way and its acceptance as an analytical tool addresses any possible scenario represented by all the families of security performances in every Information System (IS) context. In addition any change in the security architecture of an existing or projected Information System should take always into consideration both the functional cost

By an analytical point of view that means to draw the curve **y = SP(x)**: the functional cost is fixed but the correspondence with the value of Security Performance Curve is variable that should be conquered on the field. While functional cost and security performance rates are variables that should be considered in the strategic planning, the dynamic confrontation is related to the operational planning. The tactical context should be tailored, in the middle

create a kind of "field continuative intelligence" versus the Threat attempts and

The current use of data mining investigations and link analysis techniques it can be proficiently integrated with the "broader intelligence of the "Company's Mission" or with any allied IS security systems. Actually all the domain is largely unexplored in the sense that the "IS intelligence abilities" are mainly used in the relations either between the Information and Company missions or between the Company mission and its delivering customers. In the other hand the reporting capacity for IS security purposes ranges mainly in the

The implementation of the same existing process between the Information and Company missions like CRM, Business intelligence and the appropriate definition of indicators and warning will be a proper way to close the security loop for any implementing stage of security governance. The capacity of reporting like any "measurable issue" is limited by two main considerations. The first is the capacity of measurement both by a technical and by a managerial point of views. In the specific case the reporting capacity of the security disruption (or attempt of intrusion) should consider if the technological tools can be proficient enough and if its employment on a large scale can create managerial bias on the of IS architecture governance. The second is the willing, the needs or the convenience of the Company mission management to implement a reporting process function in the tactical

create a continuative operational feed back for a better security proficiency;

match together the quantitative and qualitative risk analysis;

domain, the threshold of implementation and the level of accuracy.

**6. The ASThMA (ABBO's Security Theoretical Measurement Algorithm)** 

"functional cost" and "security performance" (Abbo, Sun - May 2009 pp 342 -346).

Actually, in a given Information Security System, the implementation view should go deeper in the organizational aspects, creating operational patterns that are always dependable from

has same premises and surrounding conditions.

and the rate of security performance..

period, for monitoring intrusions in order to:

operational planning for "daily purpose statistics".

breakages.

A way to build-up operational patterns is to consider the Information domain that needs to be secured like horizontal interlocking sets, each one with its technical, organizational and formal security issues. The sets can be considered the domains of the pertinent situation Each domain has its functional cost and a class of security mitigation measures that can be considered mathematical variables. The mitigation measures belong to two main categories:


Any domain can be seen as a mathematical function that links the implementation of the measures with a probability of occurrence or a reduction percentage of the rate of impact .

In the Y-axis we should have n-integrated domains and for each one a function that states: the probability of effectiveness of the security system versus a negative event and/or a category of homogenous negative events is function of the interaction of the implemented preventive measures:

#### PE = f( Pm1; Pm2;…..Pmn)

The mathematical union of all the domains is given the global probability of the effectiveness of the security system. This mathematical union equals an algorithm called ASThMA and the results can be put on the pertinent matrix (table 2)


Table 2. The ASThMA matrix for preventive measures. All the numbers are percentage value. PE represents the probability of effectiveness of security system, PA the probability of an attack and PO the probability of a negative event and/or a category of homogenous negative events.

A similar assumption can be done also for the domain of X-axis where the generic probability is substituted by the percentage rate of impact of a negative event and/or a category of homogenous negative events is function of the interaction of the implemented protective measures(table 3).

It should be remarked that in each domain there are quantitative variable that can be expressed with a numerical entity and qualitative variables that can be expressed with an on/off implementation and a coefficient of quality. It is important to establish the appropriate indicators that reflect aspects of situation and which calculation is done by mathematical formulas. The set of indicators is called A.S.I.A. (ABBOs' Security Indicators Array). The validation of those indicators consists in their usefulness for a dual reason:

Information Security Management Accounting 133

**Rc /Ti** where

**Fc Functional cost** It is the percentage of resources of the business system budget that is invested for the defensive measures to protect the information. It is a number that ranges

= Cs /Ti where

**Cpo** Conditional probability of occurrence. It is the probability of a further negative

All the previous indicators should be abstractedly applied to any information architecture

The aforementioned paragraphs set out some fundamental aspect linked to security and risk

**Firstly** security is framed as a engineered system where the input is a malevolent human attack upon a business architecture and the desired output is a defeated adversary and an intact asset. In the design of the engineering security system the desired output is the risk evaluation and expressed by numbers that are the result of the formula likelihood or probability of occurrence and severity of the consequence(s) both normally express

**Secondly** the three pillars (C.I.A. triangle) are seen as a whole **and not specifically considered as a multiple value entity** and consequently the investments and the implementation of safeguards are indiscriminate. It would be more appropriate to link the value of availability, confidentiality, and integrity with the asset and liability statement for

**Thirdly** the security system **is not considered as an economical system** in the sense that there is no leverage between performances and investments. The implementation of safeguards in an information system match the risk reductions in the supported business system but it is not compared with the Return of Investment (ROI) of the information safeguards. That is a consequence of the shortcoming of the above mentioned system

**Fourthly** The implementation of safeguards in an engineered system increase the weight of

any class or set of information, at the end of the suitable working timeframe.

the system itself and bias the efficiency of the mission.

**Ti** Total income of the business supported by the information system

**Ti** Total income of the business supported by the information system

**Rc** Cost of reset. After a negative vent

from 0 to 100

**7. Conclusion** 

analysis.

qualitatively.

feedback.

**WoS -** Weigh of System indicator

**Cs** Cost of safeguards

**Po** Probability of occurrence

event, given the occurrence of an initial negative event.

independently of the employed technology.


Table 3. The ASThMA matrix for protective measures. It takes into consideration for every domain the functional cost, the percentage of immediate damage reduction, the cost and the time of reset (resilience parameters) and consequential damage of a negative event and/or a category of homogenous negative events. The consequential damages consider a future percentage reductions of Company Mission (loss of image, business activity etc.).


**TPP** - Threat Penetration Power indicator

#### (Ei At) Ka / Tp where


**TM** - Threat Motivation indicator =

#### Tib / Ei Twc where

**Tib** Incoming benefits that the threat has after reaching its aim

**Ei** Numbers of events that should take place for the threat reaching its aim

**Twc**Working costs that the threat should afford for any single event;

**TR** - Threat Deterrence indicator =

#### Pt Ei Twc where

**Pt** Penetration time of Threat;

**Twc**Working costs that the threat should afford for any single event

**RE** - Resilience Elasticity indicator

**Cost of resilience**

**Time of resilience** **Consequential damages** 

**Percentage of pure damage reduction** 

**1st Domain % % Currency ∆t % 2nd Domain % % Currency ∆t % (Nth-1) Domain % % Currency ∆t % Nth Domain % % Currency ∆t %** 

**of all Domains % % Currency ∆<sup>t</sup> %** 

Table 3. The ASThMA matrix for protective measures. It takes into consideration for every domain the functional cost, the percentage of immediate damage reduction, the cost and the time of reset (resilience parameters) and consequential damage of a negative event and/or a category of homogenous negative events. The consequential damages consider a future percentage reductions of Company Mission (loss of image, business activity etc.).

 the creation of a metrics, independent from the technology, that immediately give evidence links among security architectural safeguards, risks for the architecture and the business purpose of the architecture, surrounding environment and negotiation

the frame (upper and lower level) for international security recognized standard-

(Ei At) Ka / Tp where

**Ka** Time of alert for any event that should take place for the threat reaching its aim

Tib / Ei Twc where

Pt Ei Twc where

**Ei** Numbers of events that should take place for the threat reaching its aim

A.S.I.A. is including , but are not limited to, the following set of indicators

**Ei** Numbers of events that should take place for the threat reaching its aim

Pertinent Parameters

**Functional cost** 

**Domains** 

**Mathematical Union** 

power with the treat;

**TPP** - Threat Penetration Power indicator

**Tp** Penetration time of the threat

**TM** - Threat Motivation indicator =

**TR** - Threat Deterrence indicator =

**RE** - Resilience Elasticity indicator

**Pt** Penetration time of Threat;

**At** Skilfulness coefficient that ranges from 0 to 1

**Tib** Incoming benefits that the threat has after reaching its aim

**Twc**Working costs that the threat should afford for any single event;

**Twc**Working costs that the threat should afford for any single event

#### **Rc /Ti** where

**Rc** Cost of reset. After a negative vent

**Ti** Total income of the business supported by the information system

**Fc Functional cost** It is the percentage of resources of the business system budget that is invested for the defensive measures to protect the information. It is a number that ranges from 0 to 100

**WoS -** Weigh of System indicator

$$\text{=Cs / Ti where }$$


**Po** Probability of occurrence

**Cpo** Conditional probability of occurrence. It is the probability of a further negative event, given the occurrence of an initial negative event.

All the previous indicators should be abstractedly applied to any information architecture independently of the employed technology.
