**5. The ABBO's Information Models for Security – A.I.M.S.**

A system is a collection of interacting components, policies and procedures that are integrated and organized to react to an input and produce a predictable output and have a feedback. Everything is not a part of the system is called the surroundings (Rogers B.B., 2006 pp. 67-71). The components themselves and the relationships among them determine how the system works.

A complex system is defined as a diverse system of sub- systems working together toward a common goal.

Complex systems may be deterministic or probabilistic. The goal of deterministic system is to produce the same output every time given a specific input. The performance of a deterministic system can be modelled and predicted by mathematical tools such as algebra and calculus. On the other hand, probabilistic systems do not always produce the same output, but rather a distributed output with a central tendency.

The ICT Security Company's System is the core model of A.I.M.S. family. It is made of three sub – systems like three entities in a close market how it is illustrated in Figure 5 (Abbo, Sun, Feb 2009 pp 195 – 200).

The first entity is "ICT security mission" a manufacturer of the other two entities considered customers: "Information mission" and "Company's mission" We should consider Company's mission an external running business engaged internally in an innovation epolicy which dedicates resources and requirements to information and ICT security missions. When we talk about resources we mean all the instrumental items: money budgets, software, manpower, hardware, facilities, training, know-how capabilities, operating procedures etc. that can be full- time or par-time dedicated. All those assets are component of the "chain of value" of the company to fulfill its mission and it's possible to measure them like an income account in a fiscal period. The three entities are obviously well-founded on information.

The quantity of information is normally encapsulated in **business information flows** (**B.I.F.s)** the we can defined as a summation of Acts, Facts, Requested Information and Delivered Information in a given timing:

$$\frac{\Sigma \text{ (Acts/Facts/RI/DI)}}{\Delta \text{T}}$$

The facts consist on the potential productivity of the infrastructural architecture and the acts all the human and automatic actions connected with the architecture.

Risk are always understood in relation to overall business opportunity and appetite for risk. Sometimes risk is compensated by opportunity (ENISA 2009 p.22). The European Network and Information Security Agency (ENISA) in its report regarding Cloud Computing Risk

A system is a collection of interacting components, policies and procedures that are integrated and organized to react to an input and produce a predictable output and have a feedback. Everything is not a part of the system is called the surroundings (Rogers B.B., 2006 pp. 67-71). The components themselves and the relationships among them determine how

A complex system is defined as a diverse system of sub- systems working together toward a

Complex systems may be deterministic or probabilistic. The goal of deterministic system is to produce the same output every time given a specific input. The performance of a deterministic system can be modelled and predicted by mathematical tools such as algebra and calculus. On the other hand, probabilistic systems do not always produce the same

The ICT Security Company's System is the core model of A.I.M.S. family. It is made of three sub – systems like three entities in a close market how it is illustrated in Figure 5 (Abbo, Sun,

The first entity is "ICT security mission" a manufacturer of the other two entities considered customers: "Information mission" and "Company's mission" We should consider Company's mission an external running business engaged internally in an innovation epolicy which dedicates resources and requirements to information and ICT security missions. When we talk about resources we mean all the instrumental items: money budgets, software, manpower, hardware, facilities, training, know-how capabilities, operating procedures etc. that can be full- time or par-time dedicated. All those assets are component of the "chain of value" of the company to fulfill its mission and it's possible to measure them like an income account in a fiscal period. The three entities are obviously

The quantity of information is normally encapsulated in **business information flows** (**B.I.F.s)** the we can defined as a summation of Acts, Facts, Requested Information and

 Acts, Facts, RI, DI ∆T The facts consist on the potential productivity of the infrastructural architecture and the acts

all the human and automatic actions connected with the architecture.

The risks identified in the assessment are classified into three categories:

**5. The ABBO's Information Models for Security – A.I.M.S.** 

output, but rather a distributed output with a central tendency.

Assessment.

b. Technical risks; c. Legal risks;

the system works.

Feb 2009 pp 195 – 200).

well-founded on information.

Delivered Information in a given timing:

common goal.

a. Policy and organizational risks;

Fig. 5. The three missions are the entities of a close market where Company and Information are the two customers of Security Services.

**"Information mission"** is a pure deterministic system. It is designed to deliver business flows either on demand or automatically. Its competitive advantage is done by the effective business information flows per unit of time:

> Numbers of B.I.F.s Unit of time

#### **"Company Mission" is both a probabilistic and deterministic system**

It is designed to exploit the on – demand Business Information flows for a commercial objective either a service or a good. It is the only Mission in which there is the coexistence of pure risk (loss no-loss situation) and speculative risk (loss or gain situation). Its competitive advantage is done by the summation of profit per any Business Information Flow in the fiscal period:

> (single BIF x its own profit) Fiscal ∆T

 "**Security Mission"** is a pure probabilistic system. It's designed to protect the effectiveness of the business information flows according to the C.I.A. triangle. Its competitive advantage is done by One minus the probability of occurrence of a negative event divided by the functional cost of the Security Mission:

Information Security Management Accounting 129

Having several classes of resources, we should produce a graphic for each class of resource and compare in analytical context, or to use a mathematical system of nth equations. It should be outlined that the values in the graphic ranges from 0 to 100 and they are expressing percentage and the amount of resources that is given to ICT security mission is subtract from information mission budget. We should introduce the definitions of real cost

The real cost is the prize of a resource in the external market and is clearly represented in the balance sheet of the Company's mission. The functional cost is the percentage of each single resource that we should invest for the defensive measures of the resource for its operational

By definition we can assume that ICT security mission represents the percentage of "Information mission" it should be employed for its survival and in an extensive sense to the "Company mission" survival. The real cost is measured in actual currency and ranges from zero to infinity, the functional cost it is a percentage ratio and ranges from zero to one hundred and by dimensions it is a pure number. Now we can associated, in the same graphic the ISO-line of balanced budget the curve of security performance: y = SP(x) that associates to every combination of functional cost of Information mission a point of security performance (see Figure 7). The combination of the functional costs is efficient only in the area represented by the integral of the realistic curve. The value of security performance is

**CURVE OF SECURITY PERFORMANCE**

**SECURITY PERFORMANCE Represents, for each sub-asset, the ratio between the quantity of no compromising data and** 

**100 Non realistic curve**

**Realistic curve**

**the total number of data treated by the information** 

> **mission in the same amount of time. E.g. referred to the point R1 the value in the curve of SP**

**R2**

**y = SP(x)**

**B:(100 - y2; y2)**

Fig. 7. The curve represents the level of security performance dependable from the

**100-Y2**

functional cost. (Abbo, Sun, Nov 2009 pp 289 – 293).

**100%**

**equals: P1**

and functional cost of the resources.

survival.

**100%**

**P2**

**P1**

**R1**

**A:(100 - y1; y1)**

**O 100-Y1**
