Task:  Identify criteria used to evaluate and recommend security products.

Instructions:

Refer the students to the email after the IS Security Program Review module.

Allow the students to work on the exercise for approximately 10 minutes.

Call on several students and ask them what criteria they use to evaluate countermeasures.

Respond according to the students’ responses ensuring that the following information is discussed:

Solution:

The following criteria is often used to evaluate countermeasures:

Cost

Effectiveness

Impact on system performance

Impact on user

Whether cost, effectiveness, system performance impact, or user impact, the underlying criteria for assessing a countermeasure is:

Risk or How much risk can be accepted

Using the concept of acceptable risk, look at the four areas of criteria separately:

Cost

Is the cost justified based on the risk

Is there a more cost effective alternative

The smaller the acceptable risk, the cost is typically greater

The higher the acceptable risk, the cost is typically less  

Effectiveness

Does the countermeasure work

Does the countermeasure reduce risk

Is there derived value, and if so

Is the cost commensurate with the derived value or reduction in risk?

Is the affect on system performance justified compared with amount of risk reduction?

How easy are the countermeasures to circumvent?

Impact on system performance

Does countermeasure cause degradation in system performance?

Can you accept the increase system overhead….greater the security, greater the system overhead as a rule

Impact on users/program objectives

How do the countermeasures impact the users ability to accomplish the mission?

Is countermeasure worth the impact on employee performance if the countermeasure causes work slowdowns or stoppages

How willing are the users to comply with the countermeasures

How easy are the countermeasures for to use

Discussion Issues:  ?

https://www.bestitdocuments.com/