Cost based data security model for organizations

Abstract

As information systems threat environment continue to escalate and change, the focus on information security shifts towards effectiveness and efficiency of security countermeasure. Organizations continue to suffer the consequences of data breach with many paying high fines, loosing important data, reputation damages and even others going entirely out of business. This scenario has led to organizations layering security countermeasures one upon another from logical to physical and administrative controls to ensure they protect their assets. Ensuring strong information security is resource consuming and very costly given the limited security budget. On the other hand different information/data requires different security level depending on its nature or classification. For example some information may require basic security level because of its less sensitive nature, while others may require higher protection level because of their highly sensitive nature. This demands that information security spending be reviewed as thoroughly as other management decisions. In this research, using a qualitative and quantitative research methodology, various ways of data classification are identified, these include; classification based on type of data, owner, value of data, sensitivity of data, legal and regulatory requirement, user needs etc. The research also investigates various data security requirement and problems. Those identified include; the CIA, legal requirements, data response, utility, accountability and privacy. On data problems, networked environment, users related challenges, complexity of computing tools and integrated environments, E-commerce issues, poor data security governance and internet are identified as key challenges. The research also involves analysis of data security models where gaps and deficiencies are identified. A cost based data security model for implementing security based on data security requirements for different class of data is developed. This model is a step towards data security control costs identification and optimization where data security is implementation is informed by the data security needs.