**1. Introduction**

Increased computer interconnectivity and the popularity of Internet are offering organizations of all types unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information. However, the success of many of these efforts depends, in part, of an organization' ability to protect the integrity, confidentiality of the data and systems it relies on.

Many people seem to be looking for a silver bullet when it comes to information security. They often hope that buying the latest tool or piece of technology will solve their problems. Few organisations stop to evaluate what they are actually trying to protect (and why) from an organizational perspective before selecting solutions. In the field of information security the security issues tend to be complex and are rarely solved simply by applying a piece of technology.

Furthermore the growing of interdependency of the complex integrated information systems will continue and accelerate and more technologies are integrated to deliver rich services. Today there is no way to model, understand, monitor and manage the risks presented by the growth of these systems. That also means that the investments in information security can't have the appropriate accuracy and follow the common principle of redundancy increasing the non-productive costs of the businesses and/or services that are supporting by the above mentioned systems.

On the other hand the failure of information security during the past decade are nothing short of spectacular. The inability of organisations to prevent increasingly dramatic compromises has led to huge financial losses, produced a great deal of embarrassment, and put every sector of the global economy at risk. Despite increasingly draconian legal, commercial, and regulatory activity, the losses continue to mount, national interests are still at risk, and "information crimes" proliferate unabated.

Security is a delicate matter. It is one of the important elements in modern communications today and has many implications on modern life. In order to manage the complexity of this subject it is essential to define the scope of the global research that should focus the protection of the information which definition is the collection of facts and can take many forms (text, numbers, images, audio and video clips).

The core tenets of information protection are confidentiality, integrity and availability, (also defined the CIA triangle) and the perspective of information security is to reduce both the

Information Security Management Accounting 115

large fail to do so. They tell us little about the actual degree of "safety" of our system processes, much less about the organization as a whole. They say little about the appropriate

Security metrics are not well developed outside of a narrow range of IT- centric measures. While these measures may be useful for managing specific technologies such as patch management or server hardening, they are little use in "managing" overall security. There is little to guide the direction of a security program or provide the basis for making decisions. Indeed, Andrew Jaquith of the Yankee Group expressed it well at the Metricon 1 metrics

*"Security is one of the few areas of management that does not possess a well understood canon of techniques for measurement. In logistics, for example, metrics like "freight cost per mile" and "inventory warehouse turns" help operators understand how efficiently trucking fleets and warehouse run. In finance, "value at risk" techniques calculate the amount of money a firm could lose on a given day based on historical pricing volatilities. By contrast, in security there is exactly* 

Considering any system that is delivering information from point A (where physically the information is produced or stored) to point B (final information end user) trough a range of A\* intermediate points (where A\* can range from 0 to ∞) the resolution of the first problem wants to introduce and validate as a baseline tool for security analysis, the following

The measure of the functional cost of the implemented security safeguards all along the

The forejudged calculus of probability of breaches (complementary to the estimate

 The individuation of the pertinent domains. The domain is a logical entity through which is analyzed the tri-mission situation (e.g. Legal domain, Architectural framework domain, Governance domain and so on). The domains represent both a point of view of

The rate of information system burdening, in terms of loss of effectiveness for the end

**The second research problem** looks for the identification of appropriate security indicators that can be used to link the metrics of a security engineered system (first problem metrics) to mathematical indicators; those are representatives of the security of system independently of the technology employed and can also be a baseline of comparison with other systems or interconnected systems. The indicators can be seen as the negotiation power that is in force between the protection of the purpose of an information system and the possible threats. To create an array of security indicators it is both a mean of measuring the operational efficiency of information security and a tool to create regulatory standards for security.

**The third research problem** is related to the risk analysis. At the moment there is a consolidated literature that shows the way to identify, evaluate, estimate and treat the risk based on empirical methods. However that literature seems to be inappropriate for the information systems overall when they are interconnected with different security standards and the information is becoming under the control of different entities. The solution can be

percentage rate of security performances) linked to a given functional cost;

a functional perspective and an organizational filter of a dedicated analysis.

user purposes, due to security implemented safeguards.

course of action, and they are typically not specific for the needs of the recipient.

conference in 2006 during a keynote speech :

*nothing. No consensus on key indicators exists."* 

course of information ;

metrics:

number of events that are causing information security breaches and the range of damages that are related to the aforementioned breach events. The research field must focus the frame that get under control the information that should be protected. In general terms we can assume that the information is moving, in a delivering system, from a point of production to a point of utilization, and a delivering system can be considered a multiple progressive segments of points of departure and points of arrivals for the information in accordance with the logical atomism.

Logical atomism is a philosophical belief that originated in the early 20th century with the development of analytic philosophy. The theory holds that the world consists of ultimate logical "facts" (or "atoms") that cannot be broken down any further.

The information is produced (processed) in one physical site, stored in the same or in another site and communicate through a physical meaning to the site of utilization. All the three entities (production, communication and utilization) exploit instrumental items as facilities that are hosting pertinent devices, hardware, software, operation systems, applicative programs, files, physical meaning of communication (internal and external network) and are linked to the human factors as operational management policy, training, working activities and the end purpose of the delivered information. The delivering systems have information end users that exploit it for a specific aim. Information and all the instrumental items that are components of a delivering system need specific dedicated interdepartmental protections in order to reduce the possibility of information breaches.

Therefore the field of application for this research is individuated in:


In accordance with the definition of security: "the protection of resources from damage and the protection of data against accidental or intentional disclosure to unauthorized persons or unauthorized modifications or destruction", the research field should be inclusive of the security analysis of all the physical and digital information dimension, the purpose that is sparking off the production, the delivering and the end user information exploitation; furthermore the negotiating power with the threat and the consequences for the end user information purpose of the different kind of breaches.

The actual state of art should deal with four problems that are the addressee of information security research.

**The first research problem** consists in establishing the appropriate information security metrics to be exploit by those who have the control of the information. Metrics is a term used to denote a measure based on a reference and involves at least two points, the measure and the reference. Security in its most basic meaning is the protection from or absence of danger. Literally, security metrics should tell us about the state or degree of safety relative to a reference point and what to do to avoid danger. Contemporary security metrics by and

number of events that are causing information security breaches and the range of damages that are related to the aforementioned breach events. The research field must focus the frame that get under control the information that should be protected. In general terms we can assume that the information is moving, in a delivering system, from a point of production to a point of utilization, and a delivering system can be considered a multiple progressive segments of points of departure and points of arrivals for the information in

Logical atomism is a philosophical belief that originated in the early 20th century with the development of analytic philosophy. The theory holds that the world consists of ultimate

The information is produced (processed) in one physical site, stored in the same or in another site and communicate through a physical meaning to the site of utilization. All the three entities (production, communication and utilization) exploit instrumental items as facilities that are hosting pertinent devices, hardware, software, operation systems, applicative programs, files, physical meaning of communication (internal and external network) and are linked to the human factors as operational management policy, training, working activities and the end purpose of the delivered information. The delivering systems have information end users that exploit it for a specific aim. Information and all the instrumental items that are components of a delivering system need specific dedicated interdepartmental protections in order to reduce the possibility of information breaches.

 The physical outer edge that contain all the instrumental items for producing, communicating and utilizing the information, the running of the associate information

The risk of breaches in the CIA triangle and in which way those breaches are

 The set of methodology to individuate pertinent and useful metrics and its validation. In accordance with the definition of security: "the protection of resources from damage and the protection of data against accidental or intentional disclosure to unauthorized persons or unauthorized modifications or destruction", the research field should be inclusive of the security analysis of all the physical and digital information dimension, the purpose that is sparking off the production, the delivering and the end user information exploitation; furthermore the negotiating power with the threat and the consequences for the end user

The actual state of art should deal with four problems that are the addressee of information

**The first research problem** consists in establishing the appropriate information security metrics to be exploit by those who have the control of the information. Metrics is a term used to denote a measure based on a reference and involves at least two points, the measure and the reference. Security in its most basic meaning is the protection from or absence of danger. Literally, security metrics should tell us about the state or degree of safety relative to a reference point and what to do to avoid danger. Contemporary security metrics by and

logical "facts" (or "atoms") that cannot be broken down any further.

Therefore the field of application for this research is individuated in:

influencing/damaging the purpose of the information end user;

delivering system and its security architecture; The state of art of security engineering and management;

information purpose of the different kind of breaches.

security research.

accordance with the logical atomism.

large fail to do so. They tell us little about the actual degree of "safety" of our system processes, much less about the organization as a whole. They say little about the appropriate course of action, and they are typically not specific for the needs of the recipient.

Security metrics are not well developed outside of a narrow range of IT- centric measures. While these measures may be useful for managing specific technologies such as patch management or server hardening, they are little use in "managing" overall security. There is little to guide the direction of a security program or provide the basis for making decisions.

Indeed, Andrew Jaquith of the Yankee Group expressed it well at the Metricon 1 metrics conference in 2006 during a keynote speech :

*"Security is one of the few areas of management that does not possess a well understood canon of techniques for measurement. In logistics, for example, metrics like "freight cost per mile" and "inventory warehouse turns" help operators understand how efficiently trucking fleets and warehouse run. In finance, "value at risk" techniques calculate the amount of money a firm could lose on a given day based on historical pricing volatilities. By contrast, in security there is exactly nothing. No consensus on key indicators exists."* 

Considering any system that is delivering information from point A (where physically the information is produced or stored) to point B (final information end user) trough a range of A\* intermediate points (where A\* can range from 0 to ∞) the resolution of the first problem wants to introduce and validate as a baseline tool for security analysis, the following metrics:


**The second research problem** looks for the identification of appropriate security indicators that can be used to link the metrics of a security engineered system (first problem metrics) to mathematical indicators; those are representatives of the security of system independently of the technology employed and can also be a baseline of comparison with other systems or interconnected systems. The indicators can be seen as the negotiation power that is in force between the protection of the purpose of an information system and the possible threats. To create an array of security indicators it is both a mean of measuring the operational efficiency of information security and a tool to create regulatory standards for security.

**The third research problem** is related to the risk analysis. At the moment there is a consolidated literature that shows the way to identify, evaluate, estimate and treat the risk based on empirical methods. However that literature seems to be inappropriate for the information systems overall when they are interconnected with different security standards and the information is becoming under the control of different entities. The solution can be

Information Security Management Accounting 117

**DEFINITION OF SECURITY**

The Assets of information security issues usually include three to five elements. Examples of major security categories include confidentiality, privacy, integrity, authentication, authorization, and non repudiation. The E-Government Act of 2002, section 3542 (B), defines

**Availability**: The property of ensuring timely and reliable access to and use of information . Availability is the principle that information is accessible when needed. The two primary area affecting the availability of system are denial of service due to the lack of adequate security controls and loss of service due to disaster, such an earthquake, tornado, blackout, hurricane, fire, flood and so forth. In either case, the end user does not have access to information needed to perform his or her job duties. The criticality of the system to the user and its importance to the survival of the organization will determine how significant the

**Integrity**: Guarding against improper information modification or destruction, which

Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes. Information stored within the files, databases, systems, and networks must be able to be relied upon to accurately process transactions and provide accurate information for business decision making. Controls are put in place to ensure that information is modified through accepted practices. Management controls such as the segregation of duties, specification of the systems development life cycle with approval checkpoints, and implementation of testing practises assist in providing information integrity. Well-formed transactions and security of updated programs provide consistent methods of applying changes to systems. Limiting update access to those individuals with a

need to access limits the exposure to intentional and unintentional modification.

integrity, confidentiality, and availability attributes or security (Barker C. W. p.308):

**Si**

**A P**

**T**

Fig. 1. Definition of Security with the application of set diagrams.

includes ensuring information non repudiation and authenticity.

impact of the extended downtime becomes.

**S = f(A,T,P) Si**

**Situation (Si)**

**Security is a funtion of the interaction of its components: Asset (A) Protector (P) Threat (T)** 

**in a given**

individuated by considering the risk analysis with the existing methods and correlating it directly to the purpose of the information end user.

**The fourth research problem** consists in the evaluation of return of investment (ROI) for information security implementation.
