**7. Conclusion**

The aforementioned paragraphs set out some fundamental aspect linked to security and risk analysis.

**Firstly** security is framed as a engineered system where the input is a malevolent human attack upon a business architecture and the desired output is a defeated adversary and an intact asset. In the design of the engineering security system the desired output is the risk evaluation and expressed by numbers that are the result of the formula likelihood or probability of occurrence and severity of the consequence(s) both normally express qualitatively.

**Secondly** the three pillars (C.I.A. triangle) are seen as a whole **and not specifically considered as a multiple value entity** and consequently the investments and the implementation of safeguards are indiscriminate. It would be more appropriate to link the value of availability, confidentiality, and integrity with the asset and liability statement for any class or set of information, at the end of the suitable working timeframe.

**Thirdly** the security system **is not considered as an economical system** in the sense that there is no leverage between performances and investments. The implementation of safeguards in an information system match the risk reductions in the supported business system but it is not compared with the Return of Investment (ROI) of the information safeguards. That is a consequence of the shortcoming of the above mentioned system feedback.

**Fourthly** The implementation of safeguards in an engineered system increase the weight of the system itself and bias the efficiency of the mission.

Information Security Management Accounting 135

Abbo D. – Sun L. (Nov - 2009) "*The information infrastructure protection anlysis"* IADIS

Barker C. W.(2006) *E-Government Security Issues and Measures* - HANDBOOK OF

Broder, J.F. (1993) *Encyclopaedia of Security Management* – Techniques and Technology,

Brotby W. C (2009) *Information Security Management Metrics – A definitive guide to effective security monitoring and measurement* Auerbach Publications Boca Raton FL US CSA – Cloud Security Alliance – (2009), *Security guidance for critical areas of focus in cloud* 

CSA Guidance – Cloud Security Alliance – (2009), *Security Guidance for Critical Areas of Focus* 

ENISA -European Network and Information Security Agency- (2009) *Cloud Computing Risk* 

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-

http://www.hyperdictionary.com/computing/national+information+infrastrucure.

ISO/IEC, Guide 73 (2002) *Risk management - vocabulary – guidelines for use in standards*,

ISO/IEC, 27001 (2008) "*Information technology – Security techniques – Information security* 

ISO/IEC, 27005 (2008) "*Information technology – Security techniques – Information security risk* 

Jones A. – Ashenden D. (2005) *Risk management for computer security*, Elsevier Butterworth-

Lam J. (2003) *Enterprise risk management – from incentives to controls*, John Wiley and Sons, NJ

Manunta, G. (2000) *Defining Security* Diogenes paper n.1 Cranfield Security Centre– The

Rogers B.B. (2006) *Engineering Principles for Security Managers* – THE HANBOOK OF SECURITY Edited by Martin Gill – Palgrave Macmillan, London, UK . Rogers, R. (2005) *Network Security Evaluation using the NSA-IEM*, Syngress Publishing Inc.

Slade R. (2006) "*Dictionary of information security*" Syngress Publishing Inc. Rockland, MA -

Tipton F. H. – Henry K. (2007) *Official (ISC)2 Guide to the CISSP CBK*, Auerbach Publications

*management – Annex E: information security risks assessment approaches*" Geneva

Innamorati, F. (2002) *La security d'impresa*, Insigna Edizioni Simone, Milan ITALY

by Hans Weghorn, Jörg Roth and Pedro Isaìas Rome – ITALY

Butterworth-Heinemann, Burlington MA USA.

http://cloudsecurityalliance.org/csaguide.pdf

 http://cloudsecurityalliance.org/guidance.html Douglas M. (2005) *Risk and blame* - Routledge NY, USA.

Hyperdictionary *Meaning of National Information Infrastructure* -- URL:

*management system – Requirements*" Geneva CH

Royal Military College of Science, Hampshire UK

John Wiley & Sons NJ USA

*computing V2.1* – URL

*in Cloud Computing*- URL

*Assessment* -- URL:

assessment

Geneva CH.

Heineman, Oxford UK

Rockland, MA - USA,

New York - USA

CH.

USA

USA

International conference - Proceedings of Applied Computing 2009 vol.II– Edited

INFORMATION SECURITY vol. 1, Editor- in-Chief Hossein Bidgoli published by

**Fifthly** the increasing inter-connections between IS systems **makes more and more difficult the estimation (and by consequent he management) of a given risk** by the traditional statistical and /or among different information infrastructures.

The purpose of seeing the IS security models (like the ICT Security Company's System, the formula of Security and all the others mentioned in the publication) is to create a scientific approach to understand the nature of Is security issues, and to manage the connected problems in the most possible consistent way. The main advantage of an analytical approach is not only the possibility of always estimating costs, but also proficiency, adaptations and re-usability of an IS security architecture. Actually the IS security is perceived as a common sense knowing where the dominant perception is linked to experience; but the build-up of security performing rules requires a point of view beyond the pure empirical reports. The main perspective of IS security analysis is to create a "reference lay-out, in order to make global, measurable and repeatable layouts.

The creation of models should be done by accurately considering and analyzing also the growing of interdependency of the complex integrated information systems that will continue and accelerate as more technologies are integrated to deliver rich services. Today we have no way to globally model, understand, monitor and manage the risks presented by the growth of these systems in other words to have the risk assessment in the forensics domain.

The build-up of an interactive set of controlled models is the most suitable way for maintaining a "risk estimation forensics capacity" that should be able to evaluate, make real-time understandable, monitor and manage the measured rate of the security defensive profile of interconnected systems, align information architectures with organizational goals, and help these process to cooperate.

The applications are inclusive of all the IS architecture and a scientific analytical approach should became a the necessary doctrinal baseline when entering in an unplanned "systems of systems" where functionality override resilience.

The impact of implementing the above mentioned solutions in terms of social, political, economical costs compared with the improvements of market benefits and if it is taken seriously by the Government can positively influence the GDPs
