Compliance or Security, What Cost? (Poster)

Wright, Craig

doi:10.1007/978-3-642-22497-3_27

Craig Wright¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6812))

Included in the following conference series:

Australasian Conference on Information Security and Privacy

883 Accesses
1 Altmetric

Abstract

This paper presents ongoing work toward measuring the effectiveness of audit and assessment as an information security control. The trend towards the application of security control measures which are employed to demonstrate compliance with legislation or regulations, rather than to actually detect or prevent breaches occurring is demonstrated to result in a misallocation of funds. Information security is a risk function. Paying for too much security can be more damaging in economic terms than not buying enough. This research reveals several major misconceptions among businesses about what security really means and that compliance is pursued to the detriment of security. In this paper, we look at some of the causes of compliance based audit failures and why these occur. It is easier to measure compliance than it is to measure security and spending money to demonstrate compliance does not in itself provide security. When the money spent on achieving compliance reduces the funding available for control measures that may actually improve security problems may arise.

An erratum of this chapter can be found at http://dx.doi.org/10.1007/978-3-642-22497-3_36

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Anderson, R.: Why information security is hard – an economic perspective. In: 17th Annual Computer Security Applications Conference, pp. 358–365 (2001)
Google Scholar
Halderman, J.: To Strengthen Security, Change Developers’ Incentives. IEEE Security and Privacy 8(2), 79–82 (2010)
Article Google Scholar
Katz, M.L., Shapiro, C.: Network externalities, competition, and compatibility. The American Economic Review 75, 424 (1985)
Google Scholar
Roese, N.J., Olson, J.M.: Better, stronger, faster: Self-serving judgment, affect regulation, and the optimal vigilance hypothesis. Perspectives on Psychological Science 2, 124–141 (2007)
Article Google Scholar
Turcato, L.M.: Use of COBIT as a Risk Management & Audit Framework for Access Compliance, San Francisco ISACA Fall Conference (2004)
Google Scholar

Download references

Author information

Authors and Affiliations

Computer Science Editorial, Springer-Verlag, Tiergartenstr. 17, 69121, Heidelberg, Germany
Craig Wright

Authors

Craig Wright
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science and Software Engineering, The University of Melbourne, 3010, Victoria, Australia
Udaya Parampalli
Qualcomm Incorporated, Suite 301, Level 3, 77 King Street, NSW 2000, Sydney, Australia
Philip Hawkes

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wright, C. (2011). Compliance or Security, What Cost? (Poster). In: Parampalli, U., Hawkes, P. (eds) Information Security and Privacy. ACISP 2011. Lecture Notes in Computer Science, vol 6812. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22497-3_27

Download citation

DOI: https://doi.org/10.1007/978-3-642-22497-3_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22496-6
Online ISBN: 978-3-642-22497-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics