Thomas Nowey scite author profile

2013

Abstract. Economic aspects of information security are of growing interest for researchers as well as for decision makers in IT-depending companies. From a business perspective cost-benefit-justifications for information security investments are in the focus. While previous research has mostly focused on economic models for security investments or on how to quantify the benefits of information security this paper aims to take a closer look at the costs for information security. After providing the reader with basic knowledge and a motivation for the topic, we identify and describe the problems and difficulties in quantifying an enterprise's cost for information security in a comprehensive and comparable way with the lack of a common model of information security costs being the most prominent one. Following, this paper discusses four approaches to categorise and determine information security costs in an enterprise. Starting with the classic approach frequently used in surveys, we continue by describing three alternative approaches. To support research on information security costs we propose two metrics. We conclude with inputs for future research, especially for an empirical analysis of the topic.

Towards a security architecture for vehicular ad hoc networks

Plößl

Mletzko

2006

Vehicular ad hoc networks (VANETs) have the potential to increase road safety and comfort. Especially because of the road safety functions, there is a strong demand for security in VANETs. After defining three application categories the paper outlines main security and privacy requirements in VANETs. Next, a security architecture for VANETs (SAV) is proposed that strives to satisfy the requirements. To find mechanisms applicable in the architecture a survey of existing mechanisms is given.

Economic Security Metrics

Böhme

A reference model for Authentication and Authorisation Infrastructures respecting privacy and flexibility in b2c eCommerce

Schläger

Montenegro

2006

Authentication and Authorisation Infrastructures (AAIs) are gaining momentum throughout the Internet. Solutions have been proposed for various scenarios among them academia, GRID computing, company networks, and above all eCommerce applications. Products and concepts vary in architecture, security features, target group, and usability containing different strengths and weaknesses. In addition security needs have changed in communication and business processes. Security on the internet is no longer defined as only security measures for an eCommerce provider against an untrustworthy customer but also vice versa. Consequently, privacy, data canniness, and security are demands in this area.The authors define criteria for an eCommerce provider federation using an AAI with a maximum of privacy and flexibility. The criteria is derived concentrating on b2c eCommerce applications fulfilling the demands. In addition to best practices found, XACML policies and an attribute infrastructure are deployed. Among the evaluated AAIs are Shibboleth, Microsoft Passport, the Liberty Alliance Framework, and PERMIS.

Towards a Risk Management Perspective on AAIs

Schläger

2006

Abstract. Authentication and Authorisation Infrastructures (AAIs) support service providers on the internet to outsource security services. Motivations for their usage stem from software engineering and economics. For the latter an assessment of inherent risks is needed. In this work the authors deduct an appropriate, formalistic risk assessment method for AAIs and analyse outsource able security services in comparison to traditional -non AAI involved -service providing. To achieve the assessment of risks various methods for risk management have been analysed and finally a suitable qualitative method has been chosen. As AAIs differ in their potential to cover security services, combinations of these services are compared. The given risk assessment method enables providers to decide on a special infrastructure for their purpose and lets users of AAIs determine if given advantages surpass the immanent risks. This work also enables service providers to estimate costs for such an infrastructure and calculate potential savings.