1 – PO

Functional cost

The functional cost is defined like the percentage of resources of the business system budget that is invested for the defensive measures to protect the information (Author definition).

One of the key point is the that any instrumental item can have a multiple use one for each entity.

For instance an employer is dedicating his working time to Company Mission" but he/she is spending a percent of this working time to "Information mission" for duty purposes (e.g. production of digital documents, connection with the network) and smaller percent of time is dedicated at ICT Security Mission (e.g. unlock the door, enter the system with the password, updated the security software etc).

The focal point is that considering each single resource in terms of 100 percent functional units we can share it in three complementary slots. If we put on graphics the percent of each relevant resource that is dedicated respectively to the Information mission and to the ICT security mission we have the ISO-line of balanced budget (see Figure 6).

Fig. 6. The entire resources dedicated to IS systems are divided in two shares: the first rate is specific for information mission and the complementary one, dedicated to security, represents the functional cost. This graph representation belongs to the "two reciprocal exhaustive variables model". (Abbo, Sun, Nov 2009 pp 289 – 293).

1 – PO Functional cost The functional cost is defined like the percentage of resources of the business system budget that is invested for the defensive measures to protect the information (Author definition).

One of the key point is the that any instrumental item can have a multiple use one for each

For instance an employer is dedicating his working time to Company Mission" but he/she is spending a percent of this working time to "Information mission" for duty purposes (e.g. production of digital documents, connection with the network) and smaller percent of time is dedicated at ICT Security Mission (e.g. unlock the door, enter the system with the

The focal point is that considering each single resource in terms of 100 percent functional units we can share it in three complementary slots. If we put on graphics the percent of each relevant resource that is dedicated respectively to the Information mission and to the ICT

**ISO-LINE OF BALANCED BUDGET FOR SECURITY MANAGEMENT**

Fig. 6. The entire resources dedicated to IS systems are divided in two shares: the first rate is

specific for information mission and the complementary one, dedicated to security, represents the functional cost. This graph representation belongs to the "two reciprocal

**Information Mission**

**100%**

**ICT Security Mission**

**B:(100-y2; y2)**

security mission we have the ISO-line of balanced budget (see Figure 6).

**A:(100-y1; y1)**

**O 100-Y1 100-Y2**

exhaustive variables model". (Abbo, Sun, Nov 2009 pp 289 – 293).

entity.

**100%**

**Y1**

**Y2**

password, updated the security software etc).

Having several classes of resources, we should produce a graphic for each class of resource and compare in analytical context, or to use a mathematical system of nth equations. It should be outlined that the values in the graphic ranges from 0 to 100 and they are expressing percentage and the amount of resources that is given to ICT security mission is subtract from information mission budget. We should introduce the definitions of real cost and functional cost of the resources.

The real cost is the prize of a resource in the external market and is clearly represented in the balance sheet of the Company's mission. The functional cost is the percentage of each single resource that we should invest for the defensive measures of the resource for its operational survival.

By definition we can assume that ICT security mission represents the percentage of "Information mission" it should be employed for its survival and in an extensive sense to the "Company mission" survival. The real cost is measured in actual currency and ranges from zero to infinity, the functional cost it is a percentage ratio and ranges from zero to one hundred and by dimensions it is a pure number. Now we can associated, in the same graphic the ISO-line of balanced budget the curve of security performance: y = SP(x) that associates to every combination of functional cost of Information mission a point of security performance (see Figure 7). The combination of the functional costs is efficient only in the area represented by the integral of the realistic curve. The value of security performance is

Fig. 7. The curve represents the level of security performance dependable from the functional cost. (Abbo, Sun, Nov 2009 pp 289 – 293).

Information Security Management Accounting 131

A way to build-up operational patterns is to consider the Information domain that needs to be secured like horizontal interlocking sets, each one with its technical, organizational and formal security issues. The sets can be considered the domains of the pertinent situation Each domain has its functional cost and a class of security mitigation measures that can be considered mathematical variables. The mitigation measures belong to two main categories: Preventive measures that reduce the probability of a negative event on the Y- axis of the

Protective measures that reduce the rate of impact in case of occurrence of a negative

Any domain can be seen as a mathematical function that links the implementation of the measures with a probability of occurrence or a reduction percentage of the rate of impact . In the Y-axis we should have n-integrated domains and for each one a function that states: the probability of effectiveness of the security system versus a negative event and/or a category of homogenous negative events is function of the interaction of the implemented

PE = f( Pm1; Pm2;…..Pmn) The mathematical union of all the domains is given the global probability of the effectiveness of the security system. This mathematical union equals an algorithm called

**1st Domain % % % 2nd Domain % % % % (Nth-1) Domain % % % % Nth Domain % % % % Mathematical Union of all Domains % % % %** Table 2. The ASThMA matrix for preventive measures. All the numbers are percentage value. PE represents the probability of effectiveness of security system, PA the probability of an attack and PO the probability of a negative event and/or a category of homogenous

A similar assumption can be done also for the domain of X-axis where the generic probability is substituted by the percentage rate of impact of a negative event and/or a category of homogenous negative events is function of the interaction of the implemented

It should be remarked that in each domain there are quantitative variable that can be expressed with a numerical entity and qualitative variables that can be expressed with an on/off implementation and a coefficient of quality. It is important to establish the appropriate indicators that reflect aspects of situation and which calculation is done by mathematical formulas. The set of indicators is called A.S.I.A. (ABBOs' Security Indicators Array). The validation of those indicators consists in their usefulness for a dual reason:

**Functional cost 1 – PE PA PO**

ASThMA and the results can be put on the pertinent matrix (table 2)

previous figure 4

preventive measures:

**Domains** 

negative events.

protective measures(table 3).

event on the X- axis of the previous figure 4

 Pertinent parameters

represented by the ordinate of each point in the realistic curve that is a percentage value. The difference between one hundred and the value of security performance represents both the value of "threat performance" and the "quantitative risk analysis" for any model that has same premises and surrounding conditions.

The calculation of functional cost should be something of relatively easily to individuate in a strictly accounting way and its acceptance as an analytical tool addresses any possible scenario represented by all the families of security performances in every Information System (IS) context. In addition any change in the security architecture of an existing or projected Information System should take always into consideration both the functional cost and the rate of security performance..

By an analytical point of view that means to draw the curve **y = SP(x)**: the functional cost is fixed but the correspondence with the value of Security Performance Curve is variable that should be conquered on the field. While functional cost and security performance rates are variables that should be considered in the strategic planning, the dynamic confrontation is related to the operational planning. The tactical context should be tailored, in the middle period, for monitoring intrusions in order to:


The current use of data mining investigations and link analysis techniques it can be proficiently integrated with the "broader intelligence of the "Company's Mission" or with any allied IS security systems. Actually all the domain is largely unexplored in the sense that the "IS intelligence abilities" are mainly used in the relations either between the Information and Company missions or between the Company mission and its delivering customers. In the other hand the reporting capacity for IS security purposes ranges mainly in the operational planning for "daily purpose statistics".

The implementation of the same existing process between the Information and Company missions like CRM, Business intelligence and the appropriate definition of indicators and warning will be a proper way to close the security loop for any implementing stage of security governance. The capacity of reporting like any "measurable issue" is limited by two main considerations. The first is the capacity of measurement both by a technical and by a managerial point of views. In the specific case the reporting capacity of the security disruption (or attempt of intrusion) should consider if the technological tools can be proficient enough and if its employment on a large scale can create managerial bias on the of IS architecture governance. The second is the willing, the needs or the convenience of the Company mission management to implement a reporting process function in the tactical domain, the threshold of implementation and the level of accuracy.
