부산대학교 도서관

We propose a method to quantitatively grasp the cost of the information security incident including the labor cost when the information security management system (ISMS) is introduced. In order to execute several corrective and preventive actions within a limited budget, we need some indicators to compare the level of urgency or importance on each action. The amount of a loss generated by the incident is one of the key indicators. The total amount of loss shall consist of not only the loss directly caused by the incident such as broken equipments and lost profits, but also the indirect cost to recover to the original state. In the organization that adopts the individual cost management including the working hours management like the activity-based management etc., the cost of each event can be understood as a cost including the labor cost. But if the organization does not adopt such accounting, calculating the cost of individual incidents is extremely difficult. However, to calculate the amount required, such values for certain criteria in the organization is possible. By calculating the total value of the amount required by these factors as a incident cost, we can compare the magnitude of the multiple incident in the organization. We applied the proposed method to constructing ISMS in Yamaguchi University, and confirmed the effectiveness.