Cost Assessment of Personnel Activities in Information Security Management 

Everyday practice shows that the most substantial part of a cybersecurity budget is related to the cost of human activities. Cybersecurity management involves many different types of actions that need to be remunerated including the work of employees on designated cybersecurity positions, advisers or regular personnel engaged in cybersecurity projects and initiatives. Another element which is often overlooked in the cybersecurity cost equation is the cost associated with the regular personnel spending time on cybersecurity related tasks, for instance participating in cybersecurity trainings, getting familiar with cybersecurity policies and procedures or learning new tools that support security. All these factors need to be thoroughly considered in a cybersecurity cost-benefit analysis (CBA), but the methods dedicated to that tend to focus on the the profit part of the cost-benefit formula that is related to the cost savings associated with avoided security incidents. 

CAsPeA - Cost Assessment of Personnel Activities in Information Security Management - is a method that complements the portfolio of the available methods for estimating the cost of cybersecurity management with the component related to the cost of human work. By enabling estimations of the cost of personnel activities related to cybersecurity management, the method aims at providing the complete view of the cybersecurity costs.

References:

  • Leszczyna R., Litwin A.: Estimating the Cost of Cybersecurity Activities with CAsPeA: A Case Study and Comparative Analysis. In: Kanhere S., Patil V.T., Sural S., Gaur M.S. (eds) Information Systems Security. ICISS 2020. Lecture Notes in Computer Science, vol 12553. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65610-2_17
  • Leszczyna R.: Evaluating the Cost of Personnel Activities in Cybersecurity Management: A Case Study. In: Park N., Sun K., Foresti S., Butler K., Saxena N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 336. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-63095-9_17
  • Leszczyna, R.: Cost of Cybersecurity Management, pp. 127-147. Cybersecurity in the Electricity Sector. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-19538-0_5
  • Leszczyna, R.: Approaching secure industrial control systems. IET Information Security 9(1) (2015). https://doi.org/10.1049/iet-ifs.2013.0159
  • Leszczyna, R.: Cost assessment of computer security activities. Computer Fraud and Security 2013(7) (2013). https://doi.org/10.1016/S1361-3723(13)70063-0
  • Leszczyna, R.: Metoda szacowania kosztu zarządzania bezpieczeństwem informacji i przykład jej zastosowania w zakładzie opieki zdrowotnej. Zeszyty Kolegium Analiz Ekonomicznych (2017)

For more information, please, write an e-mail to: cybsec AT zie.pg.gda.pl.