| Information technology has brought great improvement to the whole society. While information is becoming more and more important for people, information infrastructure is facing more and more security threats. Organizations such as governments and companies are paying more attention to information security problems. How to evaluate the value of information security investment is one of the key issues for decision-makers. But currently there is not a mature and maneuverable methodology for decision-makers to evaluate the value of information security investment.This paper tries to build a quantitative, maneuverable and practical model to evaluate the value of information security investment and the effectiveness of information security work, helping decision-makers to do a proper investment decision.Based on the information security value related theories, this paper divides the value of information security investment into two parts: economic part and non-economic part. And also the economic part is divided into two parts: risk mitigated and cost savings. Based on the best practice of a large IT company, this paper gives the detail steps of analyzing the risk mitigated and cost savings. And these steps can guarantee the maneuverability and reliability of the whole evaluating process. For the non-economic part, this paper designs practical security capability questionnaires and BS7799 compliance questionnaire. Answers to these questionnaires can reflect the information security level of an organization.Besides the theoretical methodology and operation procedure, a real system is also build for administrators to evaluate the value of security investment. It collects data in the form of Excel and gives the final Word report of the calculated results. |
PDF Full Text Request