What are the Economics of Identity and Access Management (IAM)? This is a key area that needs to be explored, to really understand, from an economic perspective, the actual value that IAM provides to organizations based on its impact on aspects of relevance to decision makers (such as loss prevention and risk mitigation) and the threat landscape.
A few core aspects need to be researched:
1) What are the key “aspects/metrics” that characterize the impact of IAM investments on an enterprise, for example in terms of preventing/reducing losses? In a first analysis important “macro” aspects include: security breaches (B), productivity loss (P), compliance violations (C) and costs (K)…
2) How do these aspects/metrics relate to the basic IAM “levers” that decision makers (e.g. CIO/CISO/Risk Managers) can act on i.e. configuration, enforcement and audit reporting tools (compliance checking tools)? We need to capture the relevant causal dependencies, for example: what are the consequences and the impact of investing more on audit/compliance checking, rather than in configuration or enforcement? What are the consequences of acting on enforcement in terms of productivity and costs?
3) Which utility functions, U(B,P,C,K) can effectively model the impact of IAM (e.g. in terms of losses) on security breaches, productivity loss, compliance violations and costs by factoring in the investments in the “configuration, enforcement and audit” levers?
4) How to effectively use systems modeling to estimate these utility functions, by animating the causal dependencies and inter-relationships among these “levers” and their impact on metrics, inclusive of assumptions on the threat landscape?
So far I found very little literature and related work in this space – I would be keen to get any reference or link, if available.
I am going to pursue research in this space, in the context of the Identity Analytics activity (HP Labs Security Analytics project, Systems Security Lab), as I believe this (as for the Economics of Privacy and the Economics of Information Security) can:
- provide a more rational way to describe and analyse the impact and value that IAM actually offers to organizations;
- provide key decision makers with a decision support tool that operates at their level of abstraction.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment