Classification of Cyber Security Costs: Case of Lithuanian Enterprises
Generolo Jono Žemaičio Lietuvos karo akademija | |
Vasilis Vasiliauskas, Aidas | Generolo Jono Žemaičio Lietuvos karo akademija |
Assessing the costs of cyber security is not a new but constantly debated topic due to the lack of a clear assessment mechanism, especially as it differs in assessing the cyber security of the state, business or individuals. However, it can be argued that all cyber security cost estimation models, regardless of the purpose and addressee, have the same variable - cyber security costs, which in turn should be classified. Identification and classification should be considered to be the essential starting point on which the reliability of any cyber security cost estimation model depends. An analysis of the scientific literature has revealed that there is a lack of complex assessment in this area, so it has been hypothesized that the classification of cyber security costs is specific and has only its own characteristics. Thus, the aim of this study is to develop a cyber security cost classification model that enables a more accurate assessment of both the costs themselves and suitability of investing in cyber security by applying any cyber security cost estimation model. Descriptive statistics, correlation analysis, exploratory factor analysis were used to analyse the data obtained during quantitative research. Lithuanian enterprises that provide cyber security services or have a separate cyber security unit dedicated to performing the security functions of the activities were selected for the research. After a thorough analysis of the scientific literature, a questionnaire was developed, the statements of which, described by experts according to the Liker five-point system, describe four main types of cyber security costs, reflecting classical cost estimation theories. The structure of statements about the assessment of cyber security costs was investigated using the factor analysis method to verify the theoretical model of the classification of cyber security costs and its components developed during the analysis of the scientific literature. The traditional cost classification theory, which states that costs are fixed and variable when estimating the costs of cyber security, is not appropriate, so the estimation of cyber security costs requires a new, non-traditional cost classification and the assessment based on it.