What is the true cost to companies of IT security?

Research project led by the University of Göttingen develops assessment method of information technology security for businesses

How can companies evaluate whether specific measures taken will strengthen their Information Technology (IT) security? How can they find out what the real costs to their business will be? Researchers are addressing these questions in their research collaboration "Processor-Informed Economic Evaluation and Selection of IT Security Measures" (ProBITS), led by the University of Göttingen. The Federal Ministry of Education and Research (BMBF) has funded the project for three years with a total of around 1.4 million euros.

Due to the constantly changing level of threat, whether due to cyber-attacks or new legal requirements, companies are increasingly required to implement complex bundles of different computer programmes and other measures to ensure IT security. "In practice, we see that it is not only costly to implement such measures: in fact, as we have observed, these measures have a significant impact on everyday business. They can lead to business processes taking longer and can drive up costs. In addition, they can make business processes more complex and thus less flexible when they have to suddenly adapt to a new situation," explains Professor Simon Trang, Junior Professor for Information Security and Compliance at the University of Göttingen. Classic evaluation models of investment costing, such as the Return on Security Investment, fall short when it comes to evaluating other business costs, apart from the immediate financial impact of IT security measures. In addition, companies often do not have the relevant data on how vulnerable they really are to cyber-attacks and how serious the damage is likely to be in the event of an attack. "In small and medium-sized enterprises, there is usually no dedicated employee for IT security, and there is often a lack of knowledge and experience regarding IT security," says Trang.

The ProBITS team aims to develop a scalable method that companies can use to economically evaluate and select IT security measures. The focus will be on the business process: "Companies should be able to include the effects on the process, which are currently difficult to calculate, in their evaluation," says Trang. "We want to detect the barriers to the introduction and use of IT security measures and reduce possible obstacles. The project thus makes a significant contribution to increasing IT security while not ignoring other business pressures."

Partners in the ProBITS project are: University of Halle-Wittenberg, msu solutions GmbH, and Rezept-prüfstelle Duderstadt GmbH.  There is also a sub-project – "ProBITS made simple” – led by the University of Göttingen for the development of the ProBITS method. The focus of the sub-project is to identify obstacles to the introduction of IT security measures and to support companies in introducing the ProBITS method. The BMBF is funding the sub-project with around 486,000 euros.

 

Contact:
Professor Simon Trang
University of Göttingen
Junior Professor for Information Security and Compliance
Platz der Göttinger Sieben 5, 37077 Göttingen, Germany
Tel: +49 (0)551 39 29723
Email:  simon.trang@wiwi.uni-goettingen.de
infsec.uni-goettingen.de