ISO/IEC TR 27016

ISO/IEC TR 27016:2014 – Information technology – Information security – Management of information security – Organizational economics

Introduction

The following Australian contributions were noted in the New Work Item Proposal:

“Information security professionals, either employed by an organization or acting as consultants, find it difficult to justify the expenditure of money on information security controls to management that is primarily concerned with finances concerning the core business of that organization. Often, this problem arises because of the lack of an agreed-upon way to relate economics and cybersecurity. Such problems will be reduced by the proposed standard.

In the proposed standard, it is intended to provide guidelines based on generally accepted best practices that can be used by both information security professionals and general managers in assessing the financial consequences of information security programme initiatives.”

Here’s how the published standard measures up.

Scope and objectives

As an introductory chunk, here are some highlights:

The purpose of this Technical Report is to provide guidelines for information security economics as a process for using scarce resources, each of which has multiple applications, to achieve an organization’s goals optimally. A company’s information assets require resources, which might otherwise be used for other purposes not related to information security.” [From the PDTR version, subject to possible changes]

The ISO catalogue says this standard offers practical guidance for organizations when it comes to protecting information and understanding the cost implications of those decisions while competing for resources.

The Technical Report aims to:

– Provide management with an appreciation and understanding of the financial impact of information security, as well as any other potential impacts, such as social, political, legal, and other compliance impacts, which all affect the amount of investment the organization should make to protect its information;
– Assist the CISO or ISM in justifying corporate investment in an ISMS to senior management;
– Assess the value of information assets as well as associated information risks and security controls, and therefore will help management to assign the necessary resources for the implementation and operation of an ISMS. The goal is to invest just the right amount, neither too little nor too much in the ISMS;
– Integrate the activity of determining the appropriate investment into various parts or elements of an ISMS, such as how much money to allocate to the risk assessment, security, and control activities;
– Provide a comprehensive financial perspective for the ISO27k standards, analyzing and explaining the fundamentals of economics and showing how to apply economic models to information security through examples and descriptions, including a cost-benefit analysis and financial metrics as appropriate;
– Generic approach: user organisations must develop their customised business cases, based on their circumstances and needs. An organization is unique in its way. Nevertheless, the standard may provide a general framework or structure to serve as a starting point, along with relevant ‘donor text’ and suggestions on how to value and justify an ISMS, for example.

The standard’s status

As this is a developing field of study, the standard was published more as a Technical Report than an International Standard in 2014.

Commentary

Among the risks I had hoped the standard would address were:

– Management deemed information security to be not important enough and as such, deprioritized it in comparison with other business imperatives;
– Management placing an overabundance of value on information security and spending excessively, diverting funds from more important projects (such as other methods of mitigating risk);
– Investments or budgets for information security that are determined by potentially inappropriate criteria (for example, allocating a specific percentage of IT budgets, or an increase or decrease on a previous budget that does not take the organization’s specific situation into account);
– Investments and expenditures in information security being restricted or determined inappropriately by external bodies (such as the head office within a typical group structure), which lack visibility into an organization’s true requirements;
– The use of incorrect economic models or investment appraisal methods (including methods that are accepted to assess conventional investments in plant and equipment), resulting in misleading results when applied to risk management;
Insufficient attention is given to the constant changes in the information risk environment and necessary controls, including new threats, newly identified vulnerabilities, changes in how the organization uses and relies on information, and changes in external compliance requirements (e.g., new privacy laws and regulations), implying that the organization may become increasingly strong and resilient to meet challenges that might be revealed in the future; and
– Providing inappropriate management expectations on the expected costs and benefits of the ISMS.

I leave it to you to determine whether these risks have been addressed in the published version or not.

The information security management context has been forced to adopt a rather academic approach from economics. This in turn results in some advice that is vaporous, unhelpful, and even gibberish (For example; “Information security can be used to protect intangible assets such as brand, reputation, etc.”. This protection should be calculated and presented in a way that is in line with the organization’s evaluation of these intangible assets.

Economic analysis should be applied to intangible asset based on the effects of security measures. A company’s economic values should be derived from its financial, risk management, sales, and marketing functions. Information security should be taken into account when calculating costs for protection.”)

Nevertheless, academic standards need to apply rigorous standards and be comprehensive enough to compensate for the lack of rigour and comprehensiveness in more pragmatic standards. Customer value is always determined by how useful the product is to those who buy and attempt to use it.

Several in the text are more generic and would better fit in the ISO27k overview sections of 27000.