ISO/IEC TR 27016:2014 — IT Security — Security techniques — Information security management – Organizational economics
An Australian contribution to the New Work Item Proposal for this standard noted:
“Information security professionals, whether working as specialist consultants or working as employees of organisations, commonly report difficulty justifying the expenditure of money on information security controls to managers with a primary focus on financial matters concerning the core business of that organization. In many cases, this problem arises because there is no agreed way to relate matters concerning economics and information security. The proposed standard will reduce such problems.
The objective of the proposed standard is to present guidelines based on commonly accepted good practice that can be used and understood by both information security professionals and general managers to discuss information security programme initiatives and alternatives in terms of the financial outcomes that are expected.”
As to whether the published standard meets those goals, read on.
Scope and purpose
The following introductory chunk gives a flavour:
“This Technical Report provides guidelines on information security economics as a decision making process concerning the production, distribution, and consumption of scarce goods and services, each of which have alternative uses in order to accomplish an organization’s goals with minimal cost. Actions for the protection of an organization’s information assets require resources, which otherwise could be allocated to alternative non-information security related uses.” [quoted from the PDTR version, subject to change prior to publication]
The ISO catalogue page says this standard “provides guidelines on how an organization can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.”
The Technical Report is intended to:
- Help management appreciate and understand the financial impacts of information security in the context of an ISO27k ISMS, along with political, social, compliance and other potential impacts on the organization that collectively influence how much it needs to invest in protecting its information assets;
- Support the CISO or ISM in proposing corporate investment in an ISMS to senior management, and justifying the budget;
- Cover the valuation of information assets plus the corresponding information risks and information security controls, and hence will help management determine the appropriate level of resources needed to implement and operate an ISMS. The idea being, basically, to invest just the right amount in the ISMS, neither too little nor too much;
- Extend to the level of determining appropriate investment in various parts or elements of an ISMS, for example how much to invest in information risk assessment activities versus information security controls;
- Supplement other ISO27k standards by providing the financial perspective, providing guidance on the fundamentals of economics in this field and showing how to apply useful economic or financial models to information security through descriptions and examples, perhaps including a cost-benefit statement or business case and suggesting financial metrics;
- Be generic: each user organisation will have to develop its own customised business case for the ISMS investment, reflecting its particular circumstances and needs. Each organization is unique. However, the standard may provide a general framework or structure as a starting point, along with some ‘donor text’ that might be quoted or adapted by users where applicable, for example laying out the fundamentals and suggesting common ways to value and justify an ISMS.
Status of the standard
The standard was published in 2014 as a Technical Report rather than a full International Standard, since this is deemed a developing field of study.
I had hoped the standard would address risks such as:
- Management under-valuing and hence under-appreciating information security and deprioritizing it relative to other business initiatives and imperatives;
- Management over-valuing information security and perhaps over-spending on the controls, diverting funds unnecessarily from other projects and operations (including other forms of risk treatment);
- Information security investments or budgets being determined on potentially inappropriate bases (such as allocating a certain percentage of total IT expenditure, a specific increase or decrease on last year’s budget, or some notional ‘industry benchmark’ that fails to take due account of the organization’s specific situation and needs);
- Information security investments and expenditure being constrained or determined inappropriately by external bodies (such as head office in a typical group structure) lacking sufficient visibility of the organization’s true needs;
- Application of inappropriate or inaccurate economic models and/or investment appraisal techniques (including those commonly used to assess conventional investments in facilities, plant and machinery), giving misleading results when applied in this risk management field;
- Failing to take full account of frequent changes in the information risk environment and necessary controls, such as novel threats, newly-recognized vulnerabilities, changes in the way the organization uses and depends on information, and changes to external compliance obligations (such as new privacy laws and regulations), which hints at the idea of making the organization inherently strong and resilient to cope with future challenges even if they are not or cannot be predicted at this point; and
- Setting inappropriate management expectations regarding the projected costs and benefits arising from the ISMS.
As to whether these risks are addressed in the published version, you be the judge of that.
A rather academic approach from the field of economics has been shoe-horned into the information security management context. As such, some of the advice is vacuous and unhelpful, not to say gibberish (e.g. “Information security can be applied to protect intangible assets such as brand, reputation etc. The extent of this protection needs to be calculated and presented in such a way that it relates to the organization’s evaluation of such intangible assets. The economics applied of the evaluation should be related to the effect of applying information security to the intangible asset. Sources for economical values should be sourced from business functions such as financial, risk management, sales and marketing etc. Costs for protection should be calculated based on information security.”) On the other hand, the academic approach implies a degree of rigour and comprehensiveness that is often lacking in more pragmatic standards. As always, the true value of the product depends on how useful it is to the customers who buy and attempt to use it.
Some of the more generic parts of the text may be more appropriate in the ISO27k overview sections of 27000.