Modelo Económico de implementación de un marco de seguridad de la información para las Organizaciones Colombianas.

Juan Carlos Serna; Aixa Eileen Villamizar-Jaimes; Silvana Lorena Vallejo

doi:10.15649/2346030X.3669

Autores/as

Juan Carlos Serna Tecnológico de Antioquia - Medellín, Colombia https://orcid.org/0009-0000-4093-0120
Aixa Eileen Villamizar-Jaimes Tecnológico de Antioquia - Medellín, Colombia https://orcid.org/0000-0002-4070-1763
Silvana Lorena Vallejo Tecnológico de Antioquia - Medellín, Colombia https://orcid.org/0000-0002-6770-0840

DOI:

https://doi.org/10.15649/2346030X.3669

Palabras clave:

model, economic, framework, investments

Resumen

La limitada comprensión de cómo la gestión de la seguridad de la información impacta en las economías organizacionales dificulta el proceso de toma de decisiones de la gerencia con respecto a las inversiones en marcos de seguridad. Este desafío, junto con el aumento de las amenazas y vulnerabilidades en los sistemas informáticos, refuerza la ciberdelincuencia y conduce a pérdidas financieras sustanciales. Si bien se han desarrollado modelos económicos que incorporan variables de ciberseguridad, no evalúan completamente la implementación de un marco de seguridad específico dentro del contexto de un país específico. El modelo propuesto tiene como objetivo justificar económicamente la implementación de un marco de ciberseguridad en las organizaciones colombianas, contribuyendo así a la dirección estratégica y al crecimiento económico de las empresas. El modelo integra un marco de seguridad publicado por el gobierno colombiano con contribuciones significativas de modelos económicos seleccionados en una revisión sistemática de la literatura. Esta integración da como resultado un modelo económico novedoso que se puede implementar en varios tipos de empresas.

Referencias

R. Anderson and T. Moore, “Information security: Where computer science, economics and psychology meet,” Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, vol. 367, no. 1898, pp. 2717–2727, 2009, doi: 10.1098/rsta.2009.0027.

E. M. Ahmed, “Modelling Information and Communications Technology Cyber Security Externalities Spillover Effects on Sustainable Economic Growth,” Journal of the Knowledge Economy, vol. 12, no. 1, pp. 412–430, 2021, doi: 10.1007/s13132-020-00627-3.

A. A. Alahmari and R. A. Duncan, “Towards Cybersecurity Risk Management Investment: A Proposed Encouragement Factors Framework for SMEs,” in 2021 IEEE International Conference on Computing, ICOCO 2021, 2021, pp. 115–121. doi: 10.1109/ICOCO53166.2021.9673554.

E. M. Ahmed, “Modelling Information and Communications Technology Cyber Security Externalities Spillover Effects on Sustainable Economic Growth,” Journal of the Knowledge Economy, vol. 12, no. 1, pp. 412–430, Mar. 2021, doi: 10.1007/s13132-020-00627-3.

R. Anderson and T. Moore, “Information security: where computer science, economics and psychology meet,” Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, vol. 367, no. 1898, pp. 2717–2727, Jul. 2009, doi: 10.1098/rsta.2009.0027.

R. Anderson, “Why information security is hard - an economic perspective,” in Seventeenth Annual Computer Security Applications Conference, IEEE Comput. Soc, 2001, pp. 358–365. doi: 10.1109/ACSAC.2001.991552.

A. A. Alahmari and R. A. Duncan, “Towards Cybersecurity Risk Management Investment: A Proposed Encouragement Factors Framework for SMEs,” in 2021 IEEE International Conference on Computing (ICOCO), IEEE, Nov. 2021, pp. 115–121. doi: 10.1109/ICOCO53166.2021.9673554.

A. Panou, C. Ntantogian, and C. Xenakis, “RiSKi,” in Proceedings of the 21st Pan-Hellenic Conference on Informatics, New York, NY, USA: ACM, Sep. 2017, pp. 1–6. doi: 10.1145/3139367.3139426.

J. Abreu, “Hipótesis, método & diseño de investigación (hypothesis, method & research design),” Daena: International Journal of Good Conscience, vol. 7, no. 2, pp. 187–197, 2012.

A. Fedele and C. Roner, “Dangerous games: A literature review on cybersecurity investments,” J Econ Surv, vol. 36, no. 1, pp. 157–187, 2022, doi: 10.1111/joes.12456.

T. Kissoon, “Optimum spending on cybersecurity measures,” Transforming Government: People, Process and Policy, vol. 14, no. 3, pp. 417–431, 2020, doi: 10.1108/TG-11-2019-0112.

Y. Miaoui and N. Boudriga, “Enterprise security investment through time when facing different types of vulnerabilities,” Information Systems Frontiers, vol. 21, no. 2, pp. 261–300, 2019, doi: 10.1007/s10796-017-9745-3.

A. Schilling and B. Werners, “Optimal information security expenditures considering budget constraints,” in Pacific Asia Conference on Information Systems, PACIS 2015 - Proceedings, 2015. [Online]. Available: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85011024539&partnerID=40&md5=45602e3470140f27013a253c6b52a88d.

C. D. Huang, R. S. Behara, and J. Goo, “Optimal information security investment in a Healthcare Information Exchange: An economic analysis,” Decis Support Syst, vol. 61, no. 1, pp. 1–11, 2014, doi: 10.1016/j.dss.2013.10.011.

C. Onwubiko and A. Onwubiko, “Cyber kpi for return on security investment,” in 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), IEEE, 2019, pp. 1–8.

T. Yaqoob, A. Arshad, H. Abbas, M. F. Amjad, and N. Shafqat, “Framework for Calculating Return on Security Investment (ROSI) for Security-Oriented Organizations,” Future Generation Computer Systems, vol. 95, pp. 754–763, 2019, doi: https://doi.org/10.1016/j.future.2018.12.033.

D. W. Woods and A. C. Simpson, “Towards Integrating Insurance Data into Information Security Investment Decision Making,” in 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), 2018, pp. 1–6. doi: 10.1109/CyberSA.2018.8551375.

R. Bojanc, B. Jerman-Blažič, and M. Tekavčič, “Managing the investment in information security technology by use of a quantitative modeling,” Inf Process Manag, vol. 48, no. 6, pp. 1031–1052, 2012, doi: https://doi.org/10.1016/j.ipm.2012.01.001.

Z. Rashid, U. Noor, and J. Altmann, “Economic model for evaluating the value creation through information sharing within the cybersecurity information sharing ecosystem,” Future Generation Computer Systems, vol. 124, pp. 436–466, 2021, doi: 10.1016/j.future.2021.05.033.

J. A. Paul and M. Zhang, “Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker,” Eur J Oper Res, vol. 291, no. 1, pp. 349–364, 2021, doi: 10.1016/j.ejor.2020.09.013.

M. D. Iannacone and R. A. Bridges, “Quantifiable & comparable evaluations of cyber defensive capabilities: A survey & novel, unified approach,” Comput Secur, vol. 96, p. 101907, 2020, doi: https://doi.org/10.1016/j.cose.2020.101907.

E. Weishäupl, E. Yasasin, and G. Schryen, “Information security investments: An exploratory multiple case study on decision-making, evaluation and learning,” Comput Secur, vol. 77, pp. 807–823, 2018, doi: 10.1016/j.cose.2018.02.001.

M. Ezhei and B. Tork Ladani, “Information sharing vs. privacy: A game theoretic analysis,” Expert Syst Appl, vol. 88, pp. 327–337, 2017, doi: 10.1016/j.eswa.2017.06.042.

A. Nagurney and L. S. Nagurney, “A game theory model of cybersecurity investments with information asymmetry,” NETNOMICS: Economic Research and Electronic Networking, vol. 16, no. 1–2, pp. 127–148, 2015, doi: 10.1007/s11066-015-9094-7.

D. Tosh, S. Sengupta, C. A. Kamhoua, and K. A. Kwiat, “Establishing evolutionary game models for CYBer security information EXchange (CYBEX),” J Comput Syst Sci, vol. 98, pp. 27–52, 2018, doi: https://doi.org/10.1016/j.jcss.2016.08.005.

E. Weishäupl, E. Yasasin, and G. Schryen, “A multi-Theoretical literature review on information security investments using the resource-based view and the organizational learning theory,” in 2015 International Conference on Information Systems: Exploring the Information Frontier, ICIS 2015, 2015. [Online]. Available: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85126603063&partnerID=40&md5=01e728bc68f1617459291cb267d49d31.

C. Y. Jeong, S.-Y. T. Lee, and J.-H. Lim, “Information security breaches and IT security investments: Impacts on competitors,” Information & Management, vol. 56, no. 5, pp. 681–695, 2019, doi: https://doi.org/10.1016/j.im.2018.11.003.

S. Kamiya, J.-K. Kang, J. Kim, A. Milidonis, and R. M. Stulz, “Risk management, firm reputation, and the impact of successful cyberattacks on target firms,” J financ econ, vol. 139, no. 3, pp. 719–749, 2021, doi: https://doi.org/10.1016/j.jfineco.2019.05.019.

Y. Kurii and I. Opirskyy, “Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013,” in CEUR Workshop Proceedings, 2022, pp. 21–32. [Online]. Available: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85143792195&partnerID=40&md5=6672f25624c8d26cff9b20cedaa8d232.

P. P. Roy, “A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard,” in 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications, NCETSTEA 2020, 2020. doi: 10.1109/NCETSTEA48365.2020.9119914.

M. R. O. Díaz and P. E. S. Rangel, “National challenges for cybersecurity on a global level: An analysis for Colombia,” Revista Criminalidad, 2020, [Online]. Available: http://www.scielo.org.co/scielo.php?pid=S1794-31082020000200199&script=sci_abstract&tlng=en.

C. Onwubiko and A. Onwubiko, “Cyber KPI for Return on Security Investment,” in 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), IEEE, Jun. 2019, pp. 1–8. doi: 10.1109/CyberSA.2019.8899375.