TECHNICAL ISO/IEC

REPORT TR
27016
First edition
2014-03-01

Information technology — Security

techniques — Information security
management — Organizational
economics
Technologies de l’information — Techniques de sécurité —
Management de la sécurité de l’information — Économie
organisationnelle

Reference number
ISO/IEC TR 27016:2014(E)

© ISO/IEC 2014
ISO/IEC TR 27016:2014(E)


COPYRIGHT PROTECTED DOCUMENT

© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail [email protected]
Web www.iso.org
Published in Switzerland

ii  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Contents Page

Foreword......................................................................................................................................................................................................................................... iv
Introduction...................................................................................................................................................................................................................................v
1 Scope.................................................................................................................................................................................................................................. 1
2 Normative references....................................................................................................................................................................................... 1
3 Terms and definitions...................................................................................................................................................................................... 1
4 Abbreviated terms............................................................................................................................................................................................... 3
5 Structure of this Document........................................................................................................................................................................ 3
6 Information Security Economic Factors........................................................................................................................................ 4
6.1 Management Decisions..................................................................................................................................................................... 4
6.2 Business Cases.......................................................................................................................................................................................... 4
6.3 Stakeholder Interests......................................................................................................................................................................... 7
6.4 Economic Decision Review............................................................................................................................................................ 8
7 Economic Objectives.......................................................................................................................................................................................... 8
7.1 Introduction............................................................................................................................................................................................... 8
7.2 Information Asset Valuations...................................................................................................................................................... 8
8 Balancing Information Security Economics for ISM......................................................................................................10
8.1 Introduction............................................................................................................................................................................................ 10
8.2 Economic Benefits.............................................................................................................................................................................. 11
8.3 Economic Costs..................................................................................................................................................................................... 11
8.4 Applying Economic Calculations to ISM.......................................................................................................................... 12
Annex A (informative) Identification of Stakeholders and Objectives for Setting Values...........................17
Annex B (informative) Economic Decisions and Key Cost Decision Factors..............................................................19
Annex C (informative) Economic Models Appropriate for Information Security................................................22
Annex D (informative) Business Cases Calculation Examples.................................................................................................26
Bibliography.............................................................................................................................................................................................................................. 31

© ISO/IEC 2014 – All rights reserved  iii

ISO/IEC TR 27016:2014(E)


Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
In exceptional circumstances, when the joint technical committee has collected data of a different kind
from that which is normally published as an International Standard (“state of the art”, for example), it
may decide to publish a Technical Report. A Technical Report is entirely informative in nature and shall
be subject to review every five years in the same manner as an International Standard.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 27016 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

iv  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Introduction
This Technical Report provides guidelines on information security economics as a decision making
process concerning the production, distribution, and consumption of limited goods and services. Actions
for the protection of an organization’s information assets require resources, which otherwise could be
allocated to alternative non-information security related uses. The reader of this Technical Report is
primarily intended to be executive management who have delegated responsibility from the governing
body for strategy and policy, e.g. Chief Executive Officers (CEOs), Heads of Government Organizations,
Chief Financial Officers (CFOs), Chief Operating Officers (COOs), Chief Information Officers (CIOs), Chief
Information Security Officers (CISOs) and similar roles.
Information security management is often seen as an information technology only approach using
technical controls (e.g. encryption, access and privilege management, firewalls, and intrusion and
malicious code eradication). However, any application of information security is not effective without
considering a broad range of other controls (e.g. physical controls, human resource controls, policies
and rules, etc.). A decision has to be made to allocate sufficient resources to support a broad range
of controls as part of information security management. This Technical Report supports the broad
objectives of information security as provided in the ISO/IEC 27000 family of standards by introducing
economics as a key component of the decision making process.
Coupled with a risk management approach (ISO/IEC 27005[5]) and the ability to perform information
security measurements (ISO/IEC 27004[4]), economic factors need to be considered as part of information
security management when planning, implementing, maintaining and improving the security of the
organization’s information assets. In particular, economic justifications are required to ensure spending
on information security is effective as opposed to using the resources in a less efficient way.
Typically, economic benefits of information security management concern one or more of the following:
a) minimizing any negative impact to the organization’s business objectives;
b) ensuring any financial loss is acceptable;
c) avoiding requirements for additional risk capital and contingency provisioning.
Information security management may also produce benefits that are not driven by financial concerns
alone. While these non-financial benefits are important, they are usually excluded from financial based
economic analysis. Such benefits need to be quantified and included as part of the economic analysis.
Examples include:
a) enabling the business to participate in high-risk endeavours;
b) enabling the business to satisfy legal and regulatory obligations;
c) managing customer expectations of the organization;
d) managing community expectations of the organization;
e) maintaining a trusted organizational reputation;
f) providing assurance of completeness and accuracy of financial reporting.
Negative financial and non-financial economic impacts as a result of a failure by the organization to
provide adequate protection of its information assets are increasingly becoming a business issue. The
value of information security management includes identifying a direct relationship between the cost of
controls to prevent loss, and the cost benefit of avoiding a loss.
Increasing levels of competition are resulting in the need for organizations to focus on the economics of
risk.

© ISO/IEC 2014 – All rights reserved  v

ISO/IEC TR 27016:2014(E)


This Technical Report supplements the ISO/IEC 27000 family of standards by overlaying an economic
perspective on protecting an organization’s information assets in the context of the wider societal
environment in which an organization operates.

vi  © ISO/IEC 2014 – All rights reserved

TECHNICAL REPORT ISO/IEC TR 27016:2014(E)

Information technology — Security techniques —

Information security management — Organizational
economics

1 Scope
This Technical Report provides guidelines on how an organization can make decisions to protect
information and understand the economic consequences of these decisions in the context of competing
requirements for resources.
This Technical Report is applicable to all types and sizes of organizations and provides information
to enable economic decisions in information security management by top management who have
responsibility for information security decisions.

2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
3.1
annualized loss expectancy
ALE
monetary loss (3.13) that can be expected for an asset due to a risk over a one year period
Note 1 to entry: ALE is defined as: ALE = SLE × ARO, where SLE is the Single Loss Expectancy and ARO is the
Annualized Rate of Occurrence.

3.2
direct value
value that can be determined by a value of an identical replacement or substitute in the event of an
information asset or assets being harmed or lost
Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as loss if the event
occurs.

3.3
economic factor
item or information that affects an asset’s value (3.22)
3.4
economic comparison
consideration of competing or alternative cases for the allocation of resource

© ISO/IEC 2014 – All rights reserved  1

ISO/IEC TR 27016:2014(E)


3.5
economic justification
element of business case desiged to enable the allocation of resource
3.6
economic value added
measure that compares net operating profit to total cost of capital
3.7
economics
efficient use of limited resources
3.8
expected value
value estimated as an impact to the business by an information asset being harmed or lost
Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as loss if the event
occurs.

3.9
extended value
expected value times the number of times that value might occur
3.10
indirect value
value that is estimated for the replacement or restoring in the event of an information asset or assets
being harmed or lost
Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as negative if the
event occurs.

3.11
information security economics
efficient use of limited resources for information security management
3.12
information security management
ISM
managing the preservation of confidentiality, integrity and availability of information
3.13
loss
reduction in the value (3.22) of an asset
Note 1 to entry: In terms of information security economics (3.11), a loss may also be used in the context as a
positive value. In this document a cost is always negative unless otherwise stated.

3.14
market value
highest price that a ready, willing and able buyer will pay and the lowest price a seller will accept
3.15
net present value
sum of the present values (3.16) of the individual cash flows of the same entity
3.16
present value
current worth of a future sum of money or stream of cash flows given a specified rate of return
3.17
non economic benefit
benefit for which no payment has been made

2  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


3.18
opportunity cost
future estimated cost for a certain information security activity or activities
3.19
opportunity value
future estimated positive value gained from a certain information security activity or activities
3.20
regulatory requirements
mandatory resource demands associated with a specific market
3.21
return on investment
measurement per period rates of return on value invested in an economic entity
3.22
societal value
public distinction between right and wrong
3.23
value
relative worth of an asset to other objects or a defined absolute value
Note 1 to entry: In terms of information security economics (3.11) a value may be positive or negative. In this
document a value is always positive unless otherwise stated.

3.24
value-at-risk
VAR
summarizes the worst loss (3.13) over a target time that will not be exceeded with a given probability
Note 1 to entry: Target time for example could be 1 year and the given probability could also be referred to as
confidence level.

4 Abbreviated terms
BVM Basic Value Model

CIA Confidentiality–Integrity–Availability

ICT Information and Communications Technology

IRP Interest Rate Parity

ISMS Information Security Management System

ROI Return On Investment

5 Structure of this Document

Fundamental to the organizational economics of information security management is the ability to
enable economic values to be presented to management thereby enabling better factual based decisions
regarding the resources to be applied to the protection of the organization’s information assets.
In this Technical Report Clause 6 descibes information security economic factors and their relevance in
management decision making. Clause 7 describes the economic objectives in terms of asset evaluations.
Clause 8 describes how to apply an economic balance using information security benefits and costs in
an organizational context in general and using examples depending on the category of a business case.

© ISO/IEC 2014 – All rights reserved  3

ISO/IEC TR 27016:2014(E)


These clauses are supported by a number of annexes:

— Annex A describes wide context objectives of stakeholders regarding the values of information
security.
— Annex B describes business objectives and related information security organizational cost issues.
— Annex C describes a set of models that can be used for information security organizational economics.
— Annex D describes examples of using models with example figures.

6 Information Security Economic Factors

6.1 Management Decisions

The ISO/IEC 27000 family of standards provides a number of business related objectives guiding
management decisions by which organizations formally and informally assess their need to invest in
information security. These management decisions will be made more effective if a relevant process is
devised to compare the net benefit of an information security investment with competing demands for
resource in other areas of the organization.
The information security decision process needs to include a clear basis in support of management
decision-making, taking into account appropriate factors with respect to the organization’s information
security economics. The economic value of an information security investment should take account of
the organization’s business objectives. With the business objectives directly linked, other factors such
as risks, costs and benefits can now be applied allowing their more effective measurement.
Determining a suitable economic justification for the allocation of resources to preserve the security of
information assets, in a way that allows economic comparison with other ways of using the resources,
needs to be considered by management. One principle is to apply an approach of resource allocation (e.g.
Net Present Value, Return On Investment, Economic Value Added) to an information security management
programme in order to produce results that can be compared for decision-making purposes.
a) Some benefits of an information security management programme may not be economic in nature
because it is difficult to objectively and consistently measure the benefits in economic terms. For
example, if there are regulatory requirements to protect or provide certain information, it may
not be possible to determine the economic value of this benefit. This is also referred to as value of
compliance.
b) Similarly, the societal value of an information security management programme cannot be objectively
determined in economic terms without an effective feedback mechanism from the community. Non-
economic benefits are an important part of the justification of an information security management
programme, however, they cannot be included in any form of financial economic analysis as it is
difficult to apply consistent measurement.
c) Information security can be applied to protect intangible assets such as brand, reputation, etc. The
extent of this protection needs to be calculated and presented in such a way that it relates to the
organization’s evaluation of such intangible assets. The economics applied of the evaluation should
be related to the effect of applying information security to the intangible asset. Economic values
should be sourced from business functions such as financial, risk management, sales and marketing,
etc. Costs for protection should be calculated based on information security.

6.2 Business Cases

An information security investment business case allows an organization to consider whether the
economic benefits outweigh the costs and if so by how much. When information security objectives are
presented to an organization’s management, usually in the form of a business case, economic aspects
should be considered. This should include the consequences resulting from considering the information
security aspects of a business proposition. For example, what will be the economic impact on the

4  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


organization’s ability to meet its objectives if an activity is (not) done? A business case should aim to
provide a clear answer to this question.
The business case should present a balanced cost–benefit-risk view so that the organization is aware
of the options and implications of any decision, thus enabling a basis upon which the desirability of
a given security investment can be considered to achieve the best outcomes. These implications and
options could be positive in terms of correct information security investments or negative if inadequate
investments are made.
The business case should be considered in terms of the information security investment costs against
any costs associated with risks. The key fundamental elements of the business case should provide
decision makers with sufficient information to understand:
a) The value of the information asset.
b) The potential risks to the information asset.
c) The known cost of protecting the information asset.
d) The reduction of risk in relation to applying protection.
At some point the protection costs applied to the value of the information asset will reach an optimum
balance point. This optimum point between the protection costs is when the reduction of risk that will
affect the value will be less than the cost of protection (see also model C.4).
Figure 1 symbolizes the need for the business case to include economic factors as part of the business
process.

Figure 1 — Information security organizational economics decision process using 27016

When preparing the business case the organization needs to be mindful that resources are always finite
and that areas of concern need to be considered and prioritised dependent on the organization’s needs.
In this context, information security aspects should be founded on facts and hard data where available
and calculations should be made based on best knowledge and experience, which may include:
e) Calculation with a time-span (maximum, minimum time period, etc.).
f) Cost estimates.
g) Quotations.
h) Predictions of market values.

© ISO/IEC 2014 – All rights reserved  5

ISO/IEC TR 27016:2014(E)


i) Known or estimated noncompliance fees and penalties.

j) Legal consequences in direct or indirect economic terms.
k) Risk estimates that provide predictions of losses occurring.
l) Opportunity Value.
m) Opportunity Cost.
When making estimates based on a time-span, these could be gathered from statistics, risk assesments,
etc. When defining a time-span it is useful to consult experts from all relevant functions and areas.
Economics related to information security management should cover:
n) Activities and decisions during the whole information security management process.
o) Economic aspects supporting the decision on annual investments for the information security
management process.
p) Ensuring that information security management is undertaken in conformity with ISO/IEC 27001[1]
(information security management system).
The complexity of a business case for information security management is dependent on scope which
in turn, is based on the context in which information security needs to be applied. In order to be able to
include information security organizational economics as part of a business case, a business rationale
based on a business description needs to be considered in combination with the actual information
security solution. Different economic models can be applied to business cases at different levels of the
organization. These levels could be as simple as using two categories: Category A - Organizational and
Category B - Part of the organization consisting of a process, function, etc. The organizational part can
contain a number of assets. From an information security management perspective, Category B could
also be an application business case for a control or controls.

6  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Table 1 — Categorization of business cases

Business Type/Scope Description of type of ISM example Calculation char-

case cat- business case acteristics
egory
A Organization wide High level and more A typical case is an High level calcula-
conceptual. This means ISMS implementa- tion of opportu-
that the case describes tion or merger or nity values for the
information security acqusition of another organization and
applied to the whole organization. costs for imple-
or a major part of the menting and run-
It assumed that ISMS
organization. ning the business
‘organization wide’
case.
applies to the agreed
scope boundaries A range is recom-
mended for both
values and costs.
B Part of the organization such A case based on a A typical case is an There could be
as process/department/ func- business activity or an ICT outsourcing, several calculations
tion and/or asset/assets and/ information security computer centre and results may
or control/controls activity. and/or such items need to be aggre-
as secure web, gated. A calculation
The case concerns a
enhanced perimeter of values and costs
change to part of the
protection, computer is generally easy
business and describes
centre fire protec- to define but may
information security
tion, IDS deploy- need to be esti-
applied to the change
ment, etc. mated for complex
and investment for the
business cases.
organization with multi-
ple effects on informa- A range is recom-
tion security. mended for esti-
mates of values but
The case describes
not costs.
information security
applied to a spe-
cific asset or set of
assetswhere one or
a number of controls
should be applied.

Further information about economic decisions and key decision factors are described in Annex B.

6.3 Stakeholder Interests

ISO/IEC 27001[1] stipulates that the ISMS should be used to further stakeholders’ interests. Furthering
these interests should include consideration of information security economics. Economic factors should
be considered where information security could have a negative impact on stakeholders. As an example
the following values may be used:
a) Societal value, for example, should the total economic value of the defined society be included or
should there be any limitations?
b) Brand value, key business value, etc.
c) Reputation.
d) Customer value.
e) IPR (Intellectual Property Rights).
f) Depending on the business, particular economic values may be needed such as within the health
care sector, transport sector, etc.

© ISO/IEC 2014 – All rights reserved  7

ISO/IEC TR 27016:2014(E)


Other functions within an organization may have already considered these values for their own
economic calculations and should be encouraged to provide valuable input when information security
is being considered.
Further information on stakeholders and their objectives are found in Annex A.

6.4 Economic Decision Review

The implementation and ongoing management of information security controls to protect information
assets will consume limited organizational resources. They therefore should be treated by an organization
as an item of value with the expectation of returning a favourable future return (e.g. prevention of theft
of sensitive information).
As described in ISO/IEC 27004,[4] an organization needs to continuously evaluate and measure whether
the applied information security has achieved its intended purpose. This measurement process equally
applies to the assessment of the economic investment made by the organization in its limited goods and
services. For example, are the costs of the following activities reasonable:
a) Cost of risk assessing processes and projects.
b) Organizational infrastructure, including the cost of people required to maintain information
security .
c) Information security controls (e.g. cost of user access management solutions, cost of encrypting
backups) providing adequate ongoing protection in accordance with the organization’s risk appetite
(e.g. accepted residual risk).
d) Activities to provide ongoing control testing, process assurance and/or certification to demonstrate
the that information security has reached a specific standard.
e) Cultural development, training and awareness leading to a reduction in the number of information
security related incidents.
NOTE Investments in organizational infrastructure and training can have slower but long-term effects on
the organization. Their assessment should therefore be considered over a longer period of time.

7 Economic Objectives

7.1 Introduction
The application of economics to information security management requires appropriate data from the
information security management programme to be used as input factors in any economic decision-
making tools used by the organization. This process is straightforward for financial economic
considerations, but more difficult for non-financial consideration.
Economic decisions involve the prioritization of available limited goods and service resources to optimize
the achievement of organizational objectives. These economic decisions apply equally to information
security management as to other parts of the organization.
Annex B provides examples of information security specific decision factors for consideration when
optimising the achievement of multiple objectives. Each cost decision has the potential to influence the
achievement of information security outcomes. For example, increasing investment in risk mitigation
would allow the organization to operate at lower risk, but may not improve the organization’s
responsiveness to change.

7.2 Information Asset Valuations

Information asset valuations for information security purposes should be performed against the
criteria of Confidentiality, Integrity and Availability (and any additional information security aspects

8  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


required by the organization). When establishing a value in monetary terms this value should reflect the
business impact value of the asset if the actual criterion is compromised. For example, if a public website
is compromised in terms of integrity (meaning that the information on that website is misleading), this
may incur a certain business impact which could be expressed in monetary terms. The confidentiality
value in monetary terms on the same website is zero as the information is publicly available. If the same
website becomes unavailable, the business impact will have a different impact in monetary terms due
to external parties not being able to access the information. Thus there exists three different values for
this asset. This guidance should be considered when conducting asset valuations.
Since evaluation of intangible assets can be difficult, there are two simple approaches that could be
adopted through the use of a simple comparative scale e.g. low, medium, high or a numerical scale such
as 1-4 . This is especially suitable when values and/or costs are calculated and/or presented as a range
of values (max, min).
Economic values that may be used as an economic justification relating to tangible and intangible assets
for information security investment are categorised in Table 2.

Table 2 — Types of Organizational Economic Values

Value type Description

Physical Sum of the tangible assets that comprise an organization
Customer Valuation of the business generated by the portfolio of clients of the organization
Societal Valuation of the perception that society in general has of the organization
Reputational Valuation of the perception that competitors, suppliers, customers, shareholders,
governments and other stakeholder components have of the organization
Intangible / Logical Sum of the intangible assets that comprise an organization. Intangible assets should
also include the information handled by an organization: strategic, business, etc.
Legal and Regulatory Potential sanctions and/or penalties that might result from a breach

The basic value model should be used in conjunction with the balance sheet for evaluating and presenting
conclusions of information security economics and is based on the following characteristics:
Direct values are direct economic values, such as material loss, or direct investments based on an
occurrence that can be passive or active. In this area the values can be precise.
Indirect values are extensions to the direct values and reflect the additional and more intangible values
lost or gained. The indirect values have a greater uncertainty and as such they can be within a range.
These values could include the value of lost output, increased administration, etc.
Extended values are those affected by the direct and indirect values and can be quite substantial. The
extended values have a greater range and have to be evaluated based on the same basis as direct and
indirect values, but will be affected by other factors as well such as impact on the society and/or the
organization as a whole. This could include others such as share price if relevant, etc. Extended values
here are often considered as unquantifiable values such as brand, reputation, etc. (Note extended values
are most likely to be negative but may also be positive.)
An organization should complete its valuation of its information assets by considering the different
stakeholders which include:
a) Tangible assets that comprise an organization.
b) Value of business generated by the portfolio of clients.
c) Intangible assets like information, customer perception, brand value, societal perception.

© ISO/IEC 2014 – All rights reserved  9

ISO/IEC TR 27016:2014(E)


Table 3 — Types of Economic Asset Values - Principles and examples

Category Value type Description Asset Value

A Organization The parties The assets defined The total value could be broken down
within scope of to be able to run and to business processes related to specific
ISMS. maintain the busi- assets such as intellectual property rights,
ness over time. databases, ICT resources, etc. to which
values could be applied.
B 2nd and 3rd Individual The assets defined The value defined for the assets involved.
Parties customers, sup- to be able to run and
pliers. maintain the busi-
ness in relation to a
defined party.
C Stakeholders Any party The assets defined The total value could be broken down
intertested in to be able to run and to business processes related to spe-
the information maintain the busi- cific assets such as IPR, Databases, ICT
security aspects ness in relation to a resources, etc. to which values could be
of the organiza- defined party. applied.
tion, such as
owners.
D Societal Community Assets that could Value of the impact on the community
interests. compromise the com- which is then transfered to the organiza-
munity interest. tion.

This valuation can also be graded so as to apply an appropriate combination of the relevant categories.
For example, information assets associated with an entire database of 100,000 customer records
containing personally identifiable information could be much more valuable when all organizational
(category A), stakeholder (category C) and other affected party (category B) interests are aggregated.
Valuations may also be graded based on categories of important assets. For example, a database of
100,000 customer records containing personally identifiable information would be very important to a
government department. Similarly, unpublished final accounts of a major international company would
be very sensitive, with dangers of insider trading and major international economic repercussions.
Organizations can make informed economic decisions by mapping the relationship between cost decisions
and the relative consequences. As each cost decision (e.g. on risk mitigation costs, on certification costs)
can have multiple consequences, it may be possible to represent this relationship in a table.

8 Balancing Information Security Economics for ISM

8.1 Introduction
A well-functioning organization needs an information security management system that ensures its
information assets remain protected from adverse events, while at the same time being available to those
who need to use such information for sustainable organizational delivery of its business objectives. The
common requirements associated with determining benefits and costs to be achieved by an organization
to meet its business objectives are typically associated with:
a) Reduction of losses (often annualized).
b) Minimizing the costs associated with making financial and other provisions for loss events
(incidents).
c) Effectiveness of the information security management programme designed to protect information
assets.
d) Efficiency of the information security programme associated with the cost of planning, designing,
implementing, maintaining and improving the programme.

10  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Information security management can create intangible/non-financial and tangible/financial benefits

with positive values when management maintains an ability to direct and control information security
risks.
Cost and benefit decisions should relate to the expected benefits from achieving a risk reduction by the
deployment of planned controls. Typically risks are mitigated by a number of controls. The deployment
of a particular control may contribute at different levels to risk mitigation, ranging from a minor
contribution through to full risk mitigation.
Information security should support the achievement of business objectives. It should be remembered
that different approaches can be adopted, with different costs and benefits that will allow the desired
business objectives to be achieved. For example, it may be possible to trade-off ‘speed to market’ benefits
(e.g. increased revenue sooner) with increased ‘potential information security loss’ costs (e.g. privacy
of new customer data not protected and accessed by unauthorised persons). In this case potential loss
represents a valuation of the loss that could be incurred in absence or compromise of the information
asset (customer data). Alternatively, it may be better to accept a higher cost Information security
management programme to realize the benefits that would accompany good customer acceptance of a
product or service.

8.2 Economic Benefits

A reduction in losses can be determined by comparing an anticipated annual loss in the absence and
presence of the Information security management programme under consideration. When performing
this comparison, consideration needs to be given to using a methodology that can be aligned with other
methodologies in use by the organization.
Where different criteria or assessment techniques are used for determining information security risk, the
overall economic results will most likely not be consistent and comparable with other programmes and
initiatives. Similarly, to ensure a consistent and comparable outcome the risk criteria used to determine
economic benefits should be restricted to those that have a financial focus. However, the organization
should also consider how non-financial economic factors could be applied once the financial economic
focus has been completed. Information about management of information security risks can be found in
ISO/IEC 27005.[5]
It is important to note that the selection of the risk criteria relevant to determining financial economic
benefits rarely resides with the information security management function and is often determined by
the Chief Financial Officer or someone with a similar financial role.
Costs associated with minimizing financial loss and other provisions for loss events may be reduced as
a consequence of an Information security management programme. This is an economic benefit that
can be taken into account when evaluating a proposed Information security management programme.

8.3 Economic Costs

Costs of an Information security management programme to support particular business objectives
should cover the entire lifecycle of the programme using a risk-based approach. Areas to be covered
may include:
a) Planning.
b) Implementation.
c) Operation.
d) Maintenance.
e) Improvement.
f) Decommissioning.

© ISO/IEC 2014 – All rights reserved  11

ISO/IEC TR 27016:2014(E)


Reporting and assurance procedures (including any auditing by customers, 3rd parties internal auditing
or other assurance approaches) should also be included in the costs. Similarly, costs associated with
training and maintaining awareness of people operating or using information security controls should
be included in the costs.
Costs should also cover the entire information security management programme (see ISO/IEC 27001[1])
and should be associated with a measurement of all the anticipated benefits, not just the economic
benefits (see ISO/IEC 27004[4]). This approach should be taken as it is often unrealistic to separate costs
into categories associated with economic benefits and other benefits.
Maintaining knowledge about the costs and the effectiveness of the Information security management
programme provides an additional benefit that would enable the organization to convey confidence and
trust to organizational stakeholders.
Key cost areas should be considered when assessing the Information security management programme
as shown in Table 4.

Table 4 — Key cost areas

Cost Area Description

Risk assessment Includes all costs related to risk identification, analysis and evaluation.
Training and awareness Includes induction training, company wide programmes, targeted training, train-
ing assessment, reviews, training material development, presenters, and monitoring
tools.
Controls Includes direct costs for selecting and implementing controls to reduce risks, operat-
ing controls, other risk treatment options, and indirect costs related to organizational
effectiveness impact related to control. Controls may be preventive, detective and/or
reactive.
Certification Includes costs related to control monitoring and testing, assurance functions, cer-
tification testing and anything that works towards validating the effectiveness of
security controls. Certification costs are measured based on staff costs (performing
control testing), cost of audits, and cost of maintaining certifications or registrations
with authorized bodies.
Audit Includes cost for audit resources (external and/or internal) and should include inter-
nal staff time costs for the audit as well as planning, supporting and follow-up.
Measurements Includes costs for external and/or internal sourcing for measurement programmes,
tools and their application and should include internal staff time costs for providing
the measurement results.

8.4 Applying Economic Calculations to ISM

8.4.1 Overview

To achieve objectives for information security a business case has to be presented that includes
information security economics based on a calculation model, see Annex C.
An economic business rationale for information security investments should include costs, revenues
and returns, i.e. the business rationale for accepting the costs and investments involved.
As any case will be unique, a case specific approach should be considered. Information security economics
is not very different to economics used to justify investments designed to use marketing to create a sales
impact. The benefit in terms of revenues and returns are very seldom known and have to be estimated.
The business cases can be categorized into two types as described in 6.2. The application of models to a
case can be seen as a hierarchy as shown in Figure 2. The method can be applied in several layers and if
suitable, aggregated. Aggregation is easier to use in a category B business case as this has a more limited
scope.

12  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Category A
High Level Business
Case

Category B Category B
Level 2 business case Level 2 business case
Limited Scope Limited Scope

Category B Category B Category B Category B

Level 3 business Level 3 business Level 3 business Level 3 business

Figure 2 — ‘Bottom up’ approach to compiling an Information Security Management business

case

The biggest difference when applying an economic model is that the organizational wide category (A) is
often applied “Top-Down”, while the partial category (B) has a more narrow scope applied “Bottom-Up”.
A model for the organizational wide category (A) could be supported by a more detailed model(s) if
accurate data are available. When applying the organizational wide model (A) or the partial model (B),
the accuracy of the calculation will be affected by:
a) Availability of existing information related to the economics calculation such as value of assets,
statistics, etc.
b) Available resources for the results such as time, people, finance, etc.
c) Availablity of business knowledge such as expertise, internal or external.
A simplistic approach can use categorization as the starting point and then evolve the economics
calculation based on the initial calculation.

8.4.2 Guidance

The following steps should be taken as part of ISM in order to identify the business rationale and use an
economic method, referred to as “the case”:
a) Establish Context
1) Get business based description if available.
2) Establish the scope of the case.
3) Establish the context of the case.
4) Establish the stake holders.
5) Establish who should make the business decision on the case.
6) Determine the category of the case.
b) Define assets that are affected by information security within the scope of the case such as:
1) Critical information.

© ISO/IEC 2014 – All rights reserved  13

ISO/IEC TR 27016:2014(E)


2) ICT system.
3) Any other assets defined.
4) The assets’ information security value which should be listed for the assets defined.
5) The basic approach to be used for calculations including models and aggregation.
c) Determine objectives of the case.
1) Description in qualitative terms.
2) Description in quantitative terms.
3) Conclude in monetary terms.
d) Determine time.
1) How long is the case expected to have an impact on the organization:
i) Long term cases - more than one year, and if so, how many years.
ii) Short term – maximum one year.
e) Define costs for applying the case such as:
1) Short term costs (not to be used for more than a year and will have no impact on the organization
after that).
2) Investment costs (one time costs but will have an effect during the case).
3) Running costs – annual costs for the case during its time.
4) It is useful to consider costs as direct costs, indirect costs or extended costs (see also model
C.3).
f) Define benefits and value of the case such as:
1) Compliance benefits by avoiding penalties.
2) Compliance/sales opportunities by attracting new markets.
3) Image/sales opportunities by attracting new markets.
4) The positive value of risk reduction.
5) The value of increased internal efficiency.
6) The information security value of each asset if compromised.
7) Any other comparable case.
8) For value the concept of turning negative cost into opportunity value can be used (see also
Annex C).
g) Use possible interaction between cost and value
All the above may be applicable but often the context of the case means that only some of the values
apply. Information on values may also come from different,but related sources. For example, risk
reduction value may also include compliance penalties. The information security value is often also
a reflection of consequences related to risk. In practical terms many sources may be used.

14  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Finalize the basis for selecting method.

1) If context and scope are organization wide, a method such as BVM and/or a generic investment
calculation may be appropriate. A combination of the two would not be unusual(ref. Category A
business case).
2) If context and scope are narrow and asset/control focused, a method such as ROI could be used
(ref. Category B business case).
3) If the context and scope are a combination of the above, both methods above could apply, but
there may need to be consideration of assetsand their CIA impacts (ref. Category B business
case).

8.4.3 A Business Case Based on an Organization-Wide Approach(Category A)

A wider context case (Category A) could be applied through economic values being either broken down
in detail and then aggregated (Bottom-Up) or identified using an overview analysis method (Top-Down)
where details are estimated. The latter method is likely to contain a lot of uncertainty which may make
it invalid, while giving an impression of being precise for management making the decision on the case.
It will also be quite time consuming without providing the intended quantitative results.
The method can be implemented in stages . The method is generally an iterative process with inputs
changing as information is gathered and therefore changes are being made before a final calculation is
made. It is often easier to identify a range of input values or results than precise values. Where a range
can be used, it might be useful to document likely maximum and minimum values.
Input Positive:
a) Direct annual opportunity value, such as incident cost reduction.
b) Indirect opportunity value applied over the time of the case, such as avoiding penalties through
compliance.
c) Extended opportunity value applied over the time of the case, such as sales opportunities for new
market.
Input Negative:
d) 1.  Direct annual costs, such as running costs.
e) 2.  Indirect cost applied over the time of the case, such as setting up a project.
f) 3.  Extended cost applied over the time of the case, such as sales loss.
See D.1 for an example (using the model mentioned in C.2 and C.5).
This could also be calculated from the assets within the scope (“Bottom-Up”) using the principle in table
two. This approach will be more accurate but is extensive work and depends on assets being defined; in
many instances this is not easily available. This refers to the “Bottom – Up” approach based on Figure 2.

8.4.4 A Business Case Based on a Part of the Organization (Category B)

A partial context case (Category B) means that all economic values have to be gathered at a detailed
level, and then aggregated (“Bottom-Up”).
The complexity of a partial category (Category B) case may vary greatly. Models D.2 and D.3 show a
narrow scope application and then a broader one.
The method can be applied in stages. It is generally an iterative process with inputs changing as
information is gathered. A final calculation cannot be made until all the changes are complete. It is often
easier to identify a range of input values or results than precise values. Where a range can be used, it
might be useful to document likely maximum and minimum values.

© ISO/IEC 2014 – All rights reserved  15

ISO/IEC TR 27016:2014(E)


Input Positive:
a) CIA value of the asset/assets within the scope of the business case.
b) Define the impact on the value taking account of CIA risk.
c) Turn the negative impact to an opportunity value assuming correct information security levels
for each of the confidentiality, integrity and availability scenarios (i.e. none of the risks identified
materialise).
Input Negative:
d) Direct annual costs, such as running costs for mitigating the risk.
e) Any indirect cost applied over the time of the business case, such as setting up a project.
f) Extended cost applied over the time of the case, such as sales loss.
See D.2 for example.
A partial context business case (category B) that is very limited in scope means that all economic values
have to be gathered at a detailed level, which could then be directly applied to the case.
Construct a short analysis and select a simple method such as the negative to positive model which can
be rapidly conducted and understood (refer to C.5).
Input Positive:
a) Estimate actual or potential business impact related to information security.
b) Estimate the positive value for the activity of the business case.
c) Conclude if there are any other positive values that may occur depending on the activity and decide
if to include them or not. This will depend on the case and the information available.
Input Negative:
d) Define the direct and indirect control(s) required to mitigate the impact.
e) Define the direct and indirect costs for applying the control(s).
Conclude:
f) Establish the net value /costs.
g) Compare and decide.
See D.3.

16  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Annex A
(informative)

Identification of Stakeholders and Objectives for Setting Values

A.1 Overview
The purpose of this annex is to assist organizations in understanding the wider economic impact of
their information security management programmes and related investments. There are a variety of
constituencies that could benefit from an organization’s improved information security management.
The nature and size of the economic benefit will depend on how organizations leverage the benefits they
can achieve associated with more efficient information security management.

A.2 Critical Public or Private Sectors

Public and private sector organizations in industry sectors in which information security is a primary
business objective (such as banking, government, health and defence) clearly depend on establishing
and maintaining information security as a core part of their brand value and image, and indeed is an
inherent part of their products and services. By the same token, if organizations in such sectors suffer
information security incidents, their brands may be harmed and, in the worst cases, they may be put out
of business.

A.3 Public Health and Safety

The proposed standard does not explicitly affect public health and safety. However, it will indirectly
affect the safety of many forms of medical treatment by ensuring that the information on which such
treatment is based receives adequate security protection.

A.4 Societal and Community

The proposed standard is broadly applicable to organizations that operate and deal with all sectors of
society. It is unlikely to have an adverse impact on minority or disadvantaged groups and will in fact
benefit all stakeholders as well as society and the community generally.

A.5 Personal Information

In cases where information concerns individuals and their privacy, the standard will have a beneficial
effect because it is likely that the protection of personal and sensitive information will be improved in
organizations that use this standard in association with an information security management system.
For most organizations the management of the vast stores of personal information is one of the areas
where greater information security challenges are encountered. A compromise of the security of
personal information could result in negative externalities.

A.6 Environmental
The proposed standard will not directly impact the environment to any significant extent.
Indirectly the proposed standard will have a positive effect on the environment because it is likely
that information critical to effective environmental management will receive better protection in

© ISO/IEC 2014 – All rights reserved  17

ISO/IEC TR 27016:2014(E)


organizations that use it in association with an information security management system that may
currently be the practice.

A.7 Competition
Organizations that make good use of information security may achieve a competitive advantage over
those that do not because related risks are better managed.

18  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Annex B
(informative)

Economic Decisions and Key Cost Decision Factors

COST DECISIONS

Ref BUSINESS OBJECTIVES Risk Mitigation Certification Risk Manage- Control Costs
Costs Costs ment Organiza-
tional Costs
A Enabling the business to participate in high Yes Yes. Yes Yes
risk endeavours, by increasing risk man- Systems with Business Business part-
agement maturity and operating at lower lower risk will partners may ners are more Controls applied are generally
risk than competitors allow participa- be influenced likely to partake a wide set of controls that
tion in a high risk to participate in higher risk affect the whole business
environment based on ventures if the such as training. Cost for each
demonstrable organization can control is dependent on the
security certi- demonstrate a controls themselves and the
fication more mature information security maturity
risk organization of the organization

B Enabling the business to satisfy regulatory Yes Maybe No Yes

requirements thereby avoiding operational
resource limitations and penalties, e.g. by Organizations Certification Increasing Controls applied are generally
improving compliance with better risk may directly expenditure on a wide set of controls that
mitigation have contribute risk management affect the whole business
better regulatory to satisfying organization as well as specific technical
positions regulatory does not directly controls. The cost of each con-
requirements result in an trol depends on the controls
improved regula- themselves and the informa-
tory position tion security maturity of the
organization
C Enabling the business to be versatile, agile No No Yes No
and responsive to change, e.g. by building
flexibility into security solutions Mitigating risks Certifica- Increasing Controls genereally do not
do not neces- tion does not expenditure on contribute to organizational
sarily make an improve an operational risk agility. This has more to do
organization organization’s organization is with ISM and the maturity of
more agile agility more likely to the ISMS
enable a business
to manage higher
risk opportuni-
ties effectively
D Achieving an acceptable level of predicted Yes No Yes Yes
(future) loss, based on the expected risk
profile, e.g. by mitigating risks based on Risk mitigation Certifica- Increasing Controls can be
risk value (ALE) directly drives tion does not expenditure on
expected loss directly drive operational risk applied directly to mitigate
levels lower risk and organization is risks
expected loss more likely to
rates reduce risks and
expected losses
E The annualized loss expectancy (ALE) Yes No Yes Yes
expresses the product of expectance
values (mean values) of loss as well as of Risk mitigation Certifica- Increasing Controls can be applied
occurrence. Such a calculation of risk level directly drives tion does not expenditure on directly to mitigate risks
does not provide sufficient results for expected loss directly drive operational risk
“low frequency / large impact incident(s)”. levels lower risk and organization is
Information security controls should also expected loss more likely to
cover these “low frequency / high impact rates reduce risks and
incidents” as they are a real information expected losses
security concern . The calculation of a
Value-at-risk (VAR) has the potential to
deliver better results than the ALE.

© ISO/IEC 2014 – All rights reserved  19

ISO/IEC TR 27016:2014(E)


COST DECISIONS

Ref BUSINESS OBJECTIVES Risk Mitigation Certification Risk Manage- Control Costs
Costs Costs ment Organiza-
tional Costs
F The annualized loss expectancy (ALE) Yes No Yes Yes
expresses the product of expectance values
(mean values) of losses as well as of occur- Risk mitigation Certifica- Increasing Controls can be applied
rence. Such a calculation of risk level does directly drives tion does not expenditure on directly to mitigate risks
not provide sufficient results for “very low expected loss directly drive operational risk
frequency / very large impact incidents” levels lower risk and organization is
at all. However, information security expected loss more likely to
controls should also cover these “very low rates reduce risks and
frequency / very high impact incidents”. expected losses
The calculation of an average expected loss
has the potential to deliver better results
than the ALE.
G Maintaining reputation and share price by Yes Yes Yes No
enabling the business to differentiate on
“trust”, e.g. by certifying to standards and Risks likely to Certification Increasing Controls directly do not con-
mitigating high impact risks that are more cause reputa- can improve expenditure on tribute to maintaining share
likely to impact reputation if they occur tional impacts reputation operational risk price. This has more to do with
can be mitigated organization can ISM and the maturity of the
improve reputa- ISMS
tion, especially
to prospective
employees
H Minimising expected operational costs of No No No No
operating information security and risk
management, e.g. by improving efficiency Mitigating risks Certifica- Increasing the Controls directly do not con-
may not cause tion is not amount spent on tribute to improving efficiency
operations to be expected to risk management related to risk management.
more efficient lower opera- is not expected This has more to do with ISM
tional costs to improve effi- and the maturity of the ISMS
ciency directly including awareness, measure-
ments, audits, etc.
I Providing assurance on the completeness Yes Yes Yes No
and accuracy of risk information and gov-
ernance reporting Increased Certification Increasing head Controls directly do not con-
investment in provides some count will allow tribute to risk and governance.
assurance is increase in increased assur- This has more to do with ISM
likely to identify process assur- ance function- and the maturity of the ISMS
ineffective risk ance ality including awareness, measure-
treatment, driv- ments, audits, etc.
ing subsequent
improvement
J Protecting staff from personal liability, e.g. Yes Yes Yes Yes
performing due diligence to avoid direc-
tors’ liability Directors could Directors may Directors may Controls of roles and responsi-
be negligent if be able to be negligent if bility for information security.
investment in demonstrate investment in
risk mitigation due diligence risk management
was inadequate by gaining is inadequate
external certi-
fication
K Meeting community expectations as an Yes Yes No No
infrastructure and service provider, by
protecting their information Risks to Certification Increasing Controls directly do not
customer infor- can be used expenditure on contribute to community
mation can be to improve risk manage- expectations. This has more to
mitigated protection ment does not do with ISM and the maturity
of customer directly result of the ISMS including aware-
information in improved ness, measurements, audits,
protection of etc. to provide feedback to the
customer infor- community
mation
L Providing employment opportunities to Yes No Yes No
the community
Spending on Certifica- Increasing Controls directly do not con-
risk mitiga- tion does not expenditure on tribute to employment oppor-
tion provides directly result risk management tunities. This has more to do
employment in employ- organization with ISM and the maturity of
opportunities for ment opportu- creates more the ISMS including awareness,
those doing the nities employment measurements, audits, etc..
mitigating opportunities

20  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


COST DECISIONS

Ref BUSINESS OBJECTIVES Risk Mitigation Certification Risk Manage- Control Costs
Costs Costs ment Organiza-
tional Costs
M Avoiding requirements for risk and audit Yes No No No
capital and additional oversight burdens by
operating within acceptable parameters Mitigating risks Certification Increasing Controls do not directly avoid
is the key means is unlikely to expenditure on risk and audit capital alloca-
of avoiding risk lead directly the risk manage- tion (unless those controls are
and audit capital to reduction ment organiza- deficient)
in risk and tion does not
audit capital lead directly to
allocation reduction in risk
and audit capital
N Avoiding impacts on external parties such Yes No No Yes
as infrastructure and service providers
Mitigation of Certifica- Increasing Controls may directly avoid
risks is likely to tion does not expenditure on impacts
reduce the risk directly result risk manage-
of impacts on in reduction ment organiza-
external parties, of impacts tion does not
infrastructure to external lead directly
and service pro- parties to reduction in
viders risk to external
parties
O Systems to manage and disseminate secu- Yes Yes No No
rity policies, procedures, etc.
Likely to reduce Part of certi- There is no Controls directly do not con-
the risks of fication audit increase in risk tribute to learning. This has
human errors scope and will management more to do with ISM and the
contribute organization maturity of the ISMS including
costs awareness, measurements,
audits, etc.
P Identity/authentication and access Yes No No Yes
management systems to control user IDs,
access rights/permissions, etc. for applica- Likely to reduce Maybe part of There is no The controls related to this
tion systems the risks of loss certification increase in risk subject apply
of confidentialty audit scope management
and integrity and organization
may increase costs
handling costs
as well as costs
of technical solu-
tions
Q Vulnerability and change management sys- Yes No No Yes
tems to help keep up to date with security
patches Likely to reduce Maybe part of There is no The controls related to this
the risks of loss certification increase in risk subject apply
of Confidentialty audit scope management
and Integrity. organization
May increase costs
handling costs
as well as costs
of technical solu-
tions
R Incidents with an estimated value sufficent Yes No Yes Yes
to justify ISMS generation which will lead
to overall savings. Provided estimates are If incidents are Maybe part of May increase The controls related to this
sufficiently conservative and rational to added to risk certification risk management subject apply
survive management challenge, reduced processes this audit scope organization
incident costs alone will typically be more will increase cost
than sufficient to justify the cost of the the complexity
ISMS even though they do not constitute but also provide
the whole business case more accurate
evaluations
S Addressing information security risks and Yes Yes Yes Yes
controls for market, legal or regulatory
reasons But this should Part of certifi- May increase Compliance controls apply
be a major part of cation risk organization
risk handling

© ISO/IEC 2014 – All rights reserved  21

ISO/IEC TR 27016:2014(E)


Annex C
(informative)

Economic Models Appropriate for Information Security

C.1 General information

There are many calculation models that apply to economics. In terms of information security these as
well as others could be used. Only very generic models are listed in this annex.
The precise economic implications of implementing information security processes, procedures or
technical measures may be difficult to identify. It is therefore recommended that results of calculations
be presented within ranges using likely maximum and minimum values. This is not covered in the
models as this is done by using one model but with different values and/or costs.

C.2 Basic Value Model (BVM)

The principle basic value model 1 applies both for positive (yield) and negative (costs) values and should
be used in conjunction with the negative to positive and the balance sheet that is presented in the table
for a complete set of method steps for evaluating and presenting results.
The principle of BVM 1 is based upon three areas with different characteristics as below:
Direct values cover direct economic values, such as material loss, or direct investments based on an
occurrence that can be passive or active. In this area the values can be more precise.
Indirect values are extensions to the direct values and reflect the additional and more intangible values
lost or gained. The indirect values have a greater uncertainty and as such they can be within ranges.
They could be an evaluation of values such as lost output, increased administration, etc.
Extended values are those affected by the direct and indirect values and can be quite substantial.
Extended values have a greater range and have to be calculated using the same basis as direct and indirect
values, but will also be affected by other factors such as impact on society and/or the organization as a
whole, or share price if relevant, etc. Extended values of items such as brand, reputation, etc. are often
considered to be difficult to quantify. (Note extended values are most likely to be negative but may also
be positive as a consequence when information security is applied.)

Figure C.1 — Principle basic value model

22  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


C.3 Negative to Positive Model

An approach to turning negative values* to positive values* is based on the alternative questions:
— What will the negative value be if an activity is not done?
— What will the positive value be if an activity is not done?
— What will the negative value be if an activity is done?
— What will the positive value be if an activity is done?
Note - Values used in the model as costs can be positive

Answering these questions in combination with the principle Basic Value Model, Figure C.1 will then
create a balance board with four squares as shown in Figure C.2.

Figure C.2 — Negative to Positive model

The use of the model will ensure that all aspects will be covered. However there are also duplications
of values related to the same activity. This can be handled by using a simple balance table as seen in
Table C.1 below.
Referring to Table C.1, in some cases the amount in A1 is the same as in D2 and thus the negative
value/cost can be turned into a positive value when comparing the net for the two rows (1 and 2).
(If an activity is complex, further rows can be used but then the summary should still be between current
state (the possible activity not done) and when the activity is fully implemented/done.)

© ISO/IEC 2014 – All rights reserved  23

ISO/IEC TR 27016:2014(E)


Table C.1 — Balance table for net values

Base Activity Positive Positive value Negative Negative Net
value activity activity not value activity value activity
done done done not done
Ref A B C D
1 A possible activ- Activity Value Not applicable Cost Not applicable 1A-1B
ity to change the “X” done
current situa-
tion
2 The possible Activity Not applicable Value Not applicable Cost 2B-2D
activity not done “X” not
done
NOTE The table shows the principle and can be further simplified by deleting the cells that are not applicable.

C.4 Generic Balance Investment for Protection Cost vs. Value Theory
The theory is that an optimum balance point can be reached by applying gradual protection costs to
value. The optimum point between the protection and value costs is when the reduction of risk that will
affect the value will be less than the cost of protection. The basic factors for the theory are:
a) The knowledge of value (which is constant)
b) The known cost of protection (which will increase depending on actions)
c) The reduction of risk in relation to applying protection (which is based on the value and how
effective the protection is)
The value and costs for protection can often be established but the reduction of risk is often an estimate.

Figure C.3 — Optimum Balance Theory between Protection Cost and Value

24  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


C.5 Generic Investment Calculation - Cost Benefit Calculation

Cost–Benefit Analysis is often used by governments and others, e.g. businesses, to evaluate the
desirability of a given intervention. It is an analysis of the cost effectiveness of different alternatives
in order to see whether the benefits outweigh the costs (i.e. whether it is worth intervening at all), and
by how much (i.e. which intervention to choose). The aim is to gauge the efficiency of the interventions
relative to each other and the status quo. It is by altering the status quo that Pareto efficiency is applied
in order to achieve best outcomes.
The following is a list of steps that comprise a generic cost-benefit analysis:
a) Establish alternative projects/programs.
b) Compile a list of key players (those with standing or influence).
c) Select measurement and collect all cost and benefits elements.
d) Predict outcome of cost and benefits over the duration of the project.
e) Put all effects of costs and benefits as a number in local currency.
f) Apply discount rate (could also be internal financial rate)*.
g) Calculate Net Present Value of project options.
h) Sensitivity Analysis.
i) Recommendation.
*) Often provided by Finance Dept.

© ISO/IEC 2014 – All rights reserved  25

ISO/IEC TR 27016:2014(E)


Annex D
(informative)

Business Cases Calculation Examples

D.1 Organizational Business Case Calculation Example (Ref. A)

Description: The business faces more and more customer related cases requiring ISO/IEC 27001[1]
alignment. The marketing department has requested that the organization should consider an
ISO/IEC 27001 certification. The CISO has the task of calculating an economic business case for
implementing an ISMS according to ISO/IEC 27001, and including enough input to encourage top
management to initiate the implementation project (as described in ISO/IEC 27003[3]).
Context: The whole organization should be certified.
A business case for an ISMS will have an effect on the organization for a long term; this has to be taken
into account in the calculations. This can either be done so that an assumed time period is considered
and values and costs are calculated for this time period, or simplified by addressing the decision for
investments at the time of the decision (e.g. one year) and balancing this with values for one year and
thus not taking rate into account. The latter is chosen as a starting point for this business case calculation
and then a maximum and minimum range is used to underline the uncertainty. Then the time dimension
can be included as needed.

Ref Factors Basics Value related Cost related

(range) Direct Indirect Extended Direct Indirect Extended
A Sales turnover 100 M$ x 100 M$ x x x x x
annually: 3 % = 3 M$
B Possible sales 3% x x x x x x
increase with
certification (1 %–5 %)
annually:
C The investment 10 years x x x x x x
is valid:
D Cost of ISMS (±20 %) x x x 0.5 M$ x x
implementation
project:
E Cost for certi- n/a x x x 0.3 M$ x x
fication as part
of the project
F Internal (±20 %) x x x x Not esti- x
efficiency loss mated*
during project
G ISMS controls (±20 %) x x x 0.3 M$ 0.2 M$ x
costs imple-
mentation for
certification
during project:
H Cost of running x x x x 0.1 M$ x x
the ISMS annu-
ally:
* These (and other) cost and/or values could also be estimated as part of the business case and included in the calculations
if it seems that they will have an impact on the practicality of the decision.
Note: The calculation figures are illustrative only, and do not relate to any real situation.

26  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Ref Factors Basics Value related Cost related

I Internal effi- Not esti- x Not esti- x x x x
ciency increase mated* mated*
annually*
J Value of Not esti- Not esti- Not esti- x x x x
reduced audits mated* mated* mated*
*
K Reduced risk Not esti- Not esti- Not esti- Not esti- x x x
value* mated* mated* mated* mated*
L Compliance Not esti- Not esti- Not esti- Not esti- x x x
value* mated* mated* mated* mated*
M Image/Brand Not esti- x x Not esti- x x x
value* mated* mated*
N Total cost of Not esti- x x x Not esti- x x
certification* mated* mated*
Annually years
(excl. initial
cost):
* These (and other) cost and/or values could also be estimated as part of the business case and included in the calculations
if it seems that they will have an impact on the practicality of the decision.
Note: The calculation figures are illustrative only, and do not relate to any real situation.

The initial calculation for the conclusion is based on estimated values without using a range.
Conclusion 1 BASE:

During the year after certification the extended value is: 3.0 M$

The costs are summarized as: −1.4 M$

Sum: +1.6 M$
Conclusion 2 Range:
Second calculation for the conclusion is made based on estimated values using a range with maximum
(Max) and minimum (Min) values. The Max. values represent the highest values and lowest costs and
the Min. the lowest values and highest costs (Please see table above for changes because of range
uncertainties).

Max: During the year after certification the max extended value is: 5.00 M$

The costs from calculation 1 are decreased by 20 %: −1.4 M $ x 80 % = −1.12 M$

Sum: +3.88 M$

Min: During the year after certification the min extended value is: 1.00 M$

The costs from calculation 1 are increased by 20 %: −1.4 M $ x 120 % = −2.35 M$

Sum: −1.35 M$
Conclusion 2 indicates that despite a more positive economic scenario there may be a situation where
the business case may turn out negative in terms of a decision based on economics. This indicates that
further analysis may be needed. The probability for the “Min” calculation should be recalculated and
possibly adding more estimates to the factors in the table to see if more values and costs may change the
negative economic result in the calculation.
The probability analysis should be the starting point as this may show clear indications that there is a
low probability which should then be included as a reason for presenting calculation 1 as the basis for
the business case.

© ISO/IEC 2014 – All rights reserved  27

ISO/IEC TR 27016:2014(E)


Such an analysis could be, where the organization is not certificated, an alternative scenario provided
by the Sales and Marketing department indicates that there is a possible a decrease in sales over a
three year period by 15 %. This relates to the part of the customer base that is already asking about
ISO/IEC 27001[1] alignment. (A 15 % decrease is such a high value figure (as the negative impact is
positive value for motivating the business case) compared to the calculation 1 and 2 and shows that
further analysis will not result in any major changes.)
The business case can be presented as calculation 1 with the alternative scenario from the probability
analysis.

D.2 Partial Organizational Business Case Calculation Example (Ref. B)

Case: This business case example is related to a certain asset to which various information security
controls could be applied. Therefore it is a limited business case. The costs for these controls are not
incuded in the example, rather, the impact costs for not applying the controls are calculated which then
can be seen as positive value to counteract the control costs later on at the second stage. The ISM decision
for the business case is to go to the next stage and determine controls and control costs.
Information Asset
The organization maintains a database of 250,000 clients. The information contained within the
database includes the personally identifiable information for each client, personal credit card details,
and historical information of the transactions made between the client and the organization for the past
10 years.
Risks and Associated Impact Costs
The risks to the information asset need to be considered and valued from the perspectives of
confidentiality, integrity and availability:

CIA Factor Risk Description Cost to Organization

Confidentiality The database is accessed by — Each individual has to be notified that their personal information has
unauthorized individuals and been compromised ($25 per client)
copied in its entirety. Now the
information is being used to (Number of clients in a breach estimated as 1,000)
assume the identities of the — The loss of the client information results in a breach of legislation
organization’s clients and to ($500,000 single penalty)
perform unauthorized trans-
actions using their personal — The organization needs to redirect resources to determining the
and credit card information. cause of the breach, assisting law enforcement investigations into the
breach, and in remediating the information system to prevent a future
breach ($250,000 once off)

28  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


CIA Factor Risk Description Cost to Organization

Integrity An organization client enters — Each transaction has to be reviewed to validate whether or not the
into an online transaction and correct information is present ($25 per transaction)
during this transaction the
personal information/details (Number of transactions in a breach estimated as 10,000)
of another organization client — The unauthorized display of the client information results in a breach
are revealed. of legislation ($500,000 single penalty)
— Loss of future business as clients move their business to competitors
($100 per lost client)
(Estimate of 40 % of clients in a breach (1,000))
Availability The database becomes cor- — The organization needs to redirect resources to determining the
rupted and no information is cause of the data loss, and undertake mitigating controls to restore
available to authorized users. access (including calling in consultants) ($5,000 per hour)
(Estimated at 300 h)
— Downtime staff productivity as no transactions required to be filled
($100,000 per hour)
(Estimated at 10 h)
— Loss of present business as clients unable to perform transaction
($100 per abandoning client)
(Estimated at 20 % of clients in a breach (1,000))

In the table below, the sum of costs represents the value for balancing the control costs in the next stage:

CIA Customer related Legislation Business interruption Resources alloca- Sum

tion
Confidentiality $25x1000 = $25,000 $500,000 x $250,000 $775,000
Integrity $25x10,000 = $250,000 $500,000 x $790,000
$100x(40 %x1000)
= $40,000
Availability $100x(20 %x1000) x $100,000x10 $5,000x300 $2,520,000
= $20,000 = $1,000,000 = $1,500,000
Sum $335,000 $1,000,000 $1,000,000 $1,750,000 $4,085,000

D.3 Asset/Control Case Example (Ref. B)

Case: Applying a user information security awareness activity related to internet usage. This business
case example is related to a specific activity and a very limited number of controls. Even if the controls
are applied organization wide, in this instance it is still regarded as a limited business case due to the
small number of controls. The ISM decision for the business case is to launch the activity.
Basic data:

Number of users: 1000

Cost of internet usage related incidents annually: 100,000 $

Effect of training as reduction of incidents: 70 %

Cost of training material: 10,000 $

Internal time cost per hour: 50 $

Training time hours: 1

The training program impact lasts for: 3 years

© ISO/IEC 2014 – All rights reserved  29

ISO/IEC TR 27016:2014(E)


The calculation of the case should be: 3 years

Number of training sessions during time: 2 times

Based on the model in C.3 the following calculations are made and then a sensitivity analysis is included:

Activity Positive value Negative value/Cost Net

Carry out internet $210,000 $110,000 +$100.000
user training
(3x100,000 x70 %) (10,000+((50x1000)x2)
No Internet user $100,000 $300,000 -$250,000
training done
(50 × 1000 × 2) (3 × 100,000)

Conclusion: The net benefit of applying the training activity is +$100,000 during the three years. The
negative value/costs of not doing the activity is net – $250,000.
This calculation can serve a basis for deciding to undertake the activity and also to follow up how
correct the calculation was. If there is significant variation, further actions can be determined and
calculated. (The example may be more complicated as incidents can be further defined. It is assumed
that all incidents that are referred to in the example are user related.)
A sensitivity analysis of the calculation will consider by how much the incident impact needs to decrease
In order to reach a breakeven point. This is done by using the table in reverse on the activity done by
setting the positive value equal to the negative value/cost so that the Net = 0. The table below shows the
re-calculation of the positive value in order to get the breakeven percentage of incident reduction.

Activity Positive value Negative value/Cost Net

Carry out internet $110,000 $110,000 $0
user training
(3x100,000 x Y = $110,000) (10,000+((50x1000)x2))
Y = 110,000 / 3 x 100,000 (%) = 37 %

The sensitivity analysis shows that approximately only half the estimated reduction of incidents is
needed as an outcome of the training to make breakeven, i.e. covering the costs.

30  © ISO/IEC 2014 – All rights reserved

 ISO/IEC TR 27016:2014(E)


Bibliography

[1] ISO/IEC 27001:2013, Information technology — Security techniques — Requirements of information

security management systems
[2] ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for
information security controls
[3] ISO/IEC 27003:2010, Information technology — Security techniques — Information security
management system implementation guidance
[4] ISO/IEC 27004:2009, Information technology — Security techniques — Information security
management — Measurement
[5] ISO/IEC 27005:2011, Information technology — Security techniques — Information security risk
management
[6] ISO/IEC 27006:2011, Information technology — Security techniques — Requirements for bodies
providing audit and certification of information security management systems
[7] ISO/IEC 27007:2011, Information technology — Security techniques — Guidelines for information
security management systems auditing
[8] ISO/IEC 27014:2013, Information technology — Security techniques — Governance of information
security
[9] ISO 31000:2009, Risk management — Principles and guidelines

© ISO/IEC 2014 – All rights reserved  31

ISO/IEC TR 27016:2014(E)


ICS 35.040
Price based on 31 pages

© ISO/IEC 2014 – All rights reserved