Modelo Económico de implementación de un marco de seguridad de la información para las Organizaciones Colombianas.

Juan Carlos Serna; Aixa Eileen Villamizar-Jaimes; Silvana Lorena Vallejo

doi:10.15649/2346030X.3669

Authors

Juan Carlos Serna Tecnológico de Antioquia - Medellín, Colombia https://orcid.org/0009-0000-4093-0120
Aixa Eileen Villamizar-Jaimes Tecnológico de Antioquia - Medellín, Colombia https://orcid.org/0000-0002-4070-1763
Silvana Lorena Vallejo Tecnológico de Antioquia - Medellín, Colombia https://orcid.org/0000-0002-6770-0840

DOI:

https://doi.org/10.15649/2346030X.3669

Keywords:

model, economic, framework, investments

Abstract

The limited understanding of how information security management impacts organizational economies hinders management's decision-making process regarding investments in security frameworks. This challenge, coupled with the increasing threats and vulnerabilities in computer systems, reinforces cybercrime and leads to substantial financial losses. While economic models incorporating cybersecurity variables have been developed, they do not fully evaluate the implementation of a specific security framework within a specific country's context. The proposed model aimed at economically justifying the implementation of a cybersecurity framework in Colombian organizations, thereby contributing to companies' strategic direction and economic growth. The model integrates a security framework released by the Colombian government with significant contributions from selected economic models in a systematic literature review. This integration results in a novel economic model that can be implemented across several kind of companies.

References

R. Anderson and T. Moore, “Information security: Where computer science, economics and psychology meet,” Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, vol. 367, no. 1898, pp. 2717–2727, 2009, doi: 10.1098/rsta.2009.0027.

E. M. Ahmed, “Modelling Information and Communications Technology Cyber Security Externalities Spillover Effects on Sustainable Economic Growth,” Journal of the Knowledge Economy, vol. 12, no. 1, pp. 412–430, 2021, doi: 10.1007/s13132-020-00627-3.

A. A. Alahmari and R. A. Duncan, “Towards Cybersecurity Risk Management Investment: A Proposed Encouragement Factors Framework for SMEs,” in 2021 IEEE International Conference on Computing, ICOCO 2021, 2021, pp. 115–121. doi: 10.1109/ICOCO53166.2021.9673554.

E. M. Ahmed, “Modelling Information and Communications Technology Cyber Security Externalities Spillover Effects on Sustainable Economic Growth,” Journal of the Knowledge Economy, vol. 12, no. 1, pp. 412–430, Mar. 2021, doi: 10.1007/s13132-020-00627-3.

R. Anderson and T. Moore, “Information security: where computer science, economics and psychology meet,” Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, vol. 367, no. 1898, pp. 2717–2727, Jul. 2009, doi: 10.1098/rsta.2009.0027.

R. Anderson, “Why information security is hard - an economic perspective,” in Seventeenth Annual Computer Security Applications Conference, IEEE Comput. Soc, 2001, pp. 358–365. doi: 10.1109/ACSAC.2001.991552.

A. A. Alahmari and R. A. Duncan, “Towards Cybersecurity Risk Management Investment: A Proposed Encouragement Factors Framework for SMEs,” in 2021 IEEE International Conference on Computing (ICOCO), IEEE, Nov. 2021, pp. 115–121. doi: 10.1109/ICOCO53166.2021.9673554.

A. Panou, C. Ntantogian, and C. Xenakis, “RiSKi,” in Proceedings of the 21st Pan-Hellenic Conference on Informatics, New York, NY, USA: ACM, Sep. 2017, pp. 1–6. doi: 10.1145/3139367.3139426.

J. Abreu, “Hipótesis, método & diseño de investigación (hypothesis, method & research design),” Daena: International Journal of Good Conscience, vol. 7, no. 2, pp. 187–197, 2012.

A. Fedele and C. Roner, “Dangerous games: A literature review on cybersecurity investments,” J Econ Surv, vol. 36, no. 1, pp. 157–187, 2022, doi: 10.1111/joes.12456.

T. Kissoon, “Optimum spending on cybersecurity measures,” Transforming Government: People, Process and Policy, vol. 14, no. 3, pp. 417–431, 2020, doi: 10.1108/TG-11-2019-0112.

Y. Miaoui and N. Boudriga, “Enterprise security investment through time when facing different types of vulnerabilities,” Information Systems Frontiers, vol. 21, no. 2, pp. 261–300, 2019, doi: 10.1007/s10796-017-9745-3.

A. Schilling and B. Werners, “Optimal information security expenditures considering budget constraints,” in Pacific Asia Conference on Information Systems, PACIS 2015 - Proceedings, 2015. [Online]. Available: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85011024539&partnerID=40&md5=45602e3470140f27013a253c6b52a88d.

C. D. Huang, R. S. Behara, and J. Goo, “Optimal information security investment in a Healthcare Information Exchange: An economic analysis,” Decis Support Syst, vol. 61, no. 1, pp. 1–11, 2014, doi: 10.1016/j.dss.2013.10.011.

C. Onwubiko and A. Onwubiko, “Cyber kpi for return on security investment,” in 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), IEEE, 2019, pp. 1–8.

T. Yaqoob, A. Arshad, H. Abbas, M. F. Amjad, and N. Shafqat, “Framework for Calculating Return on Security Investment (ROSI) for Security-Oriented Organizations,” Future Generation Computer Systems, vol. 95, pp. 754–763, 2019, doi: https://doi.org/10.1016/j.future.2018.12.033.

D. W. Woods and A. C. Simpson, “Towards Integrating Insurance Data into Information Security Investment Decision Making,” in 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), 2018, pp. 1–6. doi: 10.1109/CyberSA.2018.8551375.

R. Bojanc, B. Jerman-Blažič, and M. Tekavčič, “Managing the investment in information security technology by use of a quantitative modeling,” Inf Process Manag, vol. 48, no. 6, pp. 1031–1052, 2012, doi: https://doi.org/10.1016/j.ipm.2012.01.001.

Z. Rashid, U. Noor, and J. Altmann, “Economic model for evaluating the value creation through information sharing within the cybersecurity information sharing ecosystem,” Future Generation Computer Systems, vol. 124, pp. 436–466, 2021, doi: 10.1016/j.future.2021.05.033.

J. A. Paul and M. Zhang, “Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker,” Eur J Oper Res, vol. 291, no. 1, pp. 349–364, 2021, doi: 10.1016/j.ejor.2020.09.013.

M. D. Iannacone and R. A. Bridges, “Quantifiable & comparable evaluations of cyber defensive capabilities: A survey & novel, unified approach,” Comput Secur, vol. 96, p. 101907, 2020, doi: https://doi.org/10.1016/j.cose.2020.101907.

E. Weishäupl, E. Yasasin, and G. Schryen, “Information security investments: An exploratory multiple case study on decision-making, evaluation and learning,” Comput Secur, vol. 77, pp. 807–823, 2018, doi: 10.1016/j.cose.2018.02.001.

M. Ezhei and B. Tork Ladani, “Information sharing vs. privacy: A game theoretic analysis,” Expert Syst Appl, vol. 88, pp. 327–337, 2017, doi: 10.1016/j.eswa.2017.06.042.

A. Nagurney and L. S. Nagurney, “A game theory model of cybersecurity investments with information asymmetry,” NETNOMICS: Economic Research and Electronic Networking, vol. 16, no. 1–2, pp. 127–148, 2015, doi: 10.1007/s11066-015-9094-7.

D. Tosh, S. Sengupta, C. A. Kamhoua, and K. A. Kwiat, “Establishing evolutionary game models for CYBer security information EXchange (CYBEX),” J Comput Syst Sci, vol. 98, pp. 27–52, 2018, doi: https://doi.org/10.1016/j.jcss.2016.08.005.

E. Weishäupl, E. Yasasin, and G. Schryen, “A multi-Theoretical literature review on information security investments using the resource-based view and the organizational learning theory,” in 2015 International Conference on Information Systems: Exploring the Information Frontier, ICIS 2015, 2015. [Online]. Available: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85126603063&partnerID=40&md5=01e728bc68f1617459291cb267d49d31.

C. Y. Jeong, S.-Y. T. Lee, and J.-H. Lim, “Information security breaches and IT security investments: Impacts on competitors,” Information & Management, vol. 56, no. 5, pp. 681–695, 2019, doi: https://doi.org/10.1016/j.im.2018.11.003.

S. Kamiya, J.-K. Kang, J. Kim, A. Milidonis, and R. M. Stulz, “Risk management, firm reputation, and the impact of successful cyberattacks on target firms,” J financ econ, vol. 139, no. 3, pp. 719–749, 2021, doi: https://doi.org/10.1016/j.jfineco.2019.05.019.

Y. Kurii and I. Opirskyy, “Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013,” in CEUR Workshop Proceedings, 2022, pp. 21–32. [Online]. Available: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85143792195&partnerID=40&md5=6672f25624c8d26cff9b20cedaa8d232.

P. P. Roy, “A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard,” in 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications, NCETSTEA 2020, 2020. doi: 10.1109/NCETSTEA48365.2020.9119914.

M. R. O. Díaz and P. E. S. Rangel, “National challenges for cybersecurity on a global level: An analysis for Colombia,” Revista Criminalidad, 2020, [Online]. Available: http://www.scielo.org.co/scielo.php?pid=S1794-31082020000200199&script=sci_abstract&tlng=en.

C. Onwubiko and A. Onwubiko, “Cyber KPI for Return on Security Investment,” in 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), IEEE, Jun. 2019, pp. 1–8. doi: 10.1109/CyberSA.2019.8899375.