A COST MODEL FOR MANAGING INFORMATION SECURITY HAZARDS

We present a model for the estimation of costs of risks and losses due to accidental or deliberate disclosure, transfer, delay, modification , or destruction of information. The model is characterized by (1) str ong emphasis on consequence analysis, (2) high-level classification of risk objects, loss-provoking events, losses, loss costs and data item s, and (3) typing data values according to their degree of vagueness. It has a sound theoretical background and is designed for practical us e in the telecommunications industry. In order to provide a hrm basis for risk analysis and loss accounting we use an object-oriented approa ch to security called the PPIFEB approach. We compare this approach wi th some other approaches: (1) the organization-oriented approach found in most standard references; (2) the event/threat-oriented approach W AECUP of Bottom and Kostanoski [Introduction to Security and Loss Cont rol, Prentice-Hall, New York, 1990]; and (3) the process-oriented appr oach of Post et al. [Security Administration: An Introduction to the P rotective Services, 4th Edition, Butterworth-Heinemann, 1994] based on generic security functions. We claim that the PPI-FEB approach is the most appropriate for risk analysis and loss accounting.