Computer security should be first and foremost which of the following:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Computer security should be first and foremost cost-effective.
Asforanyorganization,there is a needtomeasuretheircost-effectiveness,tojustifybudgetusageandprovidesupportiveargumentsfortheirnext budgetclaim.Butorganizations often have difficulties to accurately measure the effectiveness and the cost oftheirinformationsecurityactivities.
TheclassicalfinancialapproachforROIcalculationisnotparticularlyappropriatefor measuringsecurity-related initiatives:Security is notgenerallyan investment thatresults in a profit.
Security is more about loss prevention.
In other terms, when you invest in security, you dontexpectbenefits;youexpectto reducetherisksthreateningyourassets.
The concept of theROIcalculationappliesto every investment.
Security is no exception.Executive decision-makers want to know the impact securityis havingonthebottomline.Inordertoknowhowmuchtheyshouldspendon security, they need to knowhow much is the lack of security costing to the business and what are the most cost-effective solutions.
Appliedtosecurity,aReturnOnSecurityInvestment(ROSI)calculationcanprovide quantitative answers to essential financial questions: Is an organization paying too much for its security? What financial impact on productivity could have lack of security? When is the security investment enough? Is this security product/organisation beneficial? The following are other concerns about computer security but not the first and foremost: The costs and benefits of security should be carefully examined in both monetary and non-monetary terms to ensure that the cost of controls does not exceed expected benefits.
Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.
Requirements for security vary, depending upon the particular IT system.
Therefore it does not make sense for computer security to cover all identified risks when the cost of the measures exceeds the value of the systems they are protecting.
Reference(s) used for this question: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (page 6)
and http://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment.
Computer security is a critical aspect of any organization's IT infrastructure. It involves protecting digital assets, such as data, networks, and systems, from unauthorized access, use, disclosure, disruption, modification, or destruction. To ensure effective computer security, it is important to prioritize certain principles.
Among the options provided, the most appropriate answer is D. "Be proportionate to the value of IT systems."
The value of IT systems is determined by the information they contain, their impact on business operations, and the cost of their replacement or recovery in case of a breach. The level of security required should be proportional to this value, meaning that higher-value IT systems require greater levels of security than lower-value ones.
A. "Cover all identified risks" may seem like a reasonable principle, but it is not practical or feasible to cover all risks. There will always be risks that go unidentified or are too costly to address.
B. "Be cost-effective" is important, but it should not be the primary consideration. The cost of security should be weighed against the potential cost of a security breach or data loss.
C. "Be examined in both monetary and non-monetary terms" is important, but it is not a primary consideration. It is useful to examine security in both monetary and non-monetary terms to determine the true cost of a security breach, but this should not be the only consideration when determining the appropriate level of security.
In summary, the most important principle in computer security is to ensure that the level of security is proportional to the value of IT systems. This ensures that the organization is investing in security where it matters most, while also being mindful of costs and risks.