Security Investment Decision Dashboard Concerns Report (Assessment)

Introduction

As various businesses and companies develop, their leaders understand that it is beneficial for them to invest in corporate financial means in the assurance of information and software. Such a step is usually made to meet compliance requirements and optimize ownership expenses aimed at ensuring software security. The SIDD (Security Investment Decision Dashboard) is helpful for organizations that arrive at such decisions and appropriate conclusions after evaluating, comparing, and assessing multiple candidate security investments that are usually built according to certain business requirements and criteria. The primary principle of the given dashboard implies different priorities for the investments mentioned above that are influenced by the company’s expected outcomes for any investments made by its managers. The following paper is intended to discuss various aspects that must be considered when investing money in SIDD.

What Eight Steps Are Identified as Necessary to Make a Business Case Software Assurance and Affect Important Changes?

The following list will enumerate a number of actions that are recommended to make the business case for efficient software assurance and to affect all the essential changes in such an instance:

1. Obtaining executive management support
2. Considering the environment in which one operates (Mead et al., 2009)
3. Providing all the necessary training
4. Committing to achieving an appropriate level of software process improvement
5. Performing a risk assessment
6. Deciding what one needs to measure
7. Implementing the approach to selected projects
8. Providing feedback for improvement.

Which of the Eight Steps Does SIDD Primarily Support?

The SIDD model primarily supports the following steps from the list above:

• Considering the environment in which one operates
• Deciding what one needs to measure
• Obtaining executive management support (Mead et al., 2009).

The model of SIDD and its purpose focus on supporting the points listed above as they play a major role in the process of decision making. For instance, it is necessary for a person to consider his or her working environment. This gives the individual an understanding of what services are the most preferable and beneficial for one’s company (Andress, 2015). Indeed, this employee should also decide on what has to be measured to make his or her investments accordingly. In the end, the support of other colleagues and superiors is essential in such cases as they might recommend various operations that are visible to them from other perspectives.

Are Categories and Indicators Used to Assess Appropriate Candidates the Only Points Managers Must Consider?

The article by Mead et al. (2009) provides a table of SIDD Categories and Indicators that must be referred to by a manager to make an investment decision. However, these points are not the only things that should be considered by one in such instances. Also, employees have to rely on their personal experience and that of their colleagues as well (Trotter, Salmon, & Lenné, 2014). Sometimes, it is more important to focus on privileges that might not be determined by plain data and statistics.

SIDD Categories

The following list will identify and explain SIDD Categories:

• Cost. The overall expenses are used to complete a certain investment. Such factors as potential cost, savings, and risk reduction must be considered in accordance with this aspect.
• Criticality & Risk. A degree to which a financial investment contributes. It allows managers to meet their organizations’ business objectives and avoid potential risks (Merkow & Raghavan, 2010).
• Feasibility. A possibility of investment that is likely to be successful.
• Positive Interdependencies. This degree represents reasonable changes to existing organizational processes and practices.
• Involvement. Both levels of involvement and buy-in required by different parties for successful investment are within and outside of the business (Mead et al., 2009).
• Measurability is a consideration of possible investment outcomes.
• Time & Effort Required. Staff-hours necessary to accomplish a certain investment.

RMF Activity Stages

The following list will identify the five activity stages of the RMF (Risk Management Framework):

• Understanding the business context
• Identifying the business and technical risks
• Synthesizing and prioritizing the risks, producing a ranked set
• Defining the risk mitigation strategy
• Carrying out fixes and validating that they are correct (Berg & Danahy, 2012).

Relationship Between Making a Business Case and the Risk Management Framework

Efficient and productive risk management must lead to successfully realized and achieved benefits of any company (Merkow & Raghavan, 2010). It would be proper to mention that the framework described above also increases the possibility to meet various corporate objectives. Therefore, making a business case becomes much easier to complete and implement in the future.

Application Security Practice

As stated by Mead et al. (2009), “ASP (Application Security Practice) is an internal or external center of excellence in assessment and improvement of application security” (p. 40). There is a need for it because approximately 40% of 678 Fortune 500 and other popular web resources contained front-end JavaScript vulnerabilities. In 2011, there were 535 reported data breaches, involving 30.4 million records (Mead et al., 2009). Therefore, applications remain the most common attack targets. It would be proper to mention that insecure programs figured in 5 of the top 6 breaches. Moreover, the demand for trained resources far exceeds supply.

Why Applications Now a Greater Focus of Attacks?

Applications have become a greater focus of attacks because website defacement is an old practice. In turn, people use more sophisticated methods for these purposes (Stallings, 2017). Usually, these actions imply the identification of software’s weaknesses. Nowadays, such illegal activities might lead to the total loss of system control over an application (Berg & Danahy, 2012). It would be proper to mention that is much easier to obtain specific data by hacking the programs mentioned above.

Benefits of Creating an ASP

The benefits of creating an Application Security Practice will be outlined in the list below:

• Internal Practice
• Cost savings from multiple avenues
• Decreased remediation costs
• Decreased likelihood of vulnerability exploit
• Simplified reporting and compliance
• Increased positive visibility of resources
• Beneficial center of gravity for expertise
• External Practice
• The constant demand for trained resources
• Full life-cycle engagement
• Premium service and resource returns (Berg & Danahy, 2012).

Five Activities That Should Occur When Assessing One’s Inventory

The following list will enumerate five activities that must occur when assessing one’s inventory:

• Discovery
• Technical Team Kickoff
• Initial Assessment and Planning
• Assessment
• Final Report (Berg & Danahy, 2012).

Conclusion

Applications have become a greater hacking target recently because they might give specific information to people who have side access to them. Therefore, it is essential for every company to invest its financial means in the development of software security systems. However, it is necessary to consider SIDD Categories and Indicators to assess appropriate candidates. It would be proper to mention that creating what is called an Application Security Practice has many benefits for developers and customers who use this software. Such a method saves expenses on multiple avenues, increases positive visibility of resources, and ensures a beneficial a center of gravity for completing appropriate expertise. At the first stage of assessment, the issue should be discovered. Then, its elimination must be planned and evaluated. The final action implies a report that is intended to prevent similar vulnerabilities in the future.

References

Andress, J. (2015). The basics of information security: Understanding the fundamentals of InfoSec in theory and practice (2nd ed.). Waltham, MA: Syngress.

Berg, R., & Danahy, J. (2012). How to create a software security practice[Video file]. Web.

Mead, N. R., Allen, J. H., Conklin, W. A., Drommi, A., Harrison, J., Ingalsbe, J.,… Shoemaker, D. (2009). Making the business case for software assurance. Fort Belvoir, VA: Defense Technical Information Center.

Merkow, M. S., & Raghavan, L. (2010). Secure and resilient software development. Boca Raton, FL: CRC Press.

Stallings, W. (2017). Cryptography and network security principles and practice (7th ed.). Boston, MA: Pearson.

Trotter, M. J., Salmon, P. M., & Lenné, M. G. (2014). Impromaps: Applying Rasmussen’s risk management framework to improvisation incidents. Safety Science, 64(1), 60-70. Web.