COST OF
INFORMATION
ASSURANCE
An Approach to Answering “How much is enough?”
in Information Assurance
August 2002
The National Center for Manufacturing Sciences
www.ncms.org
University of Michigan Tauber Manufacturing Institute
www.tmi.umich.edu
Page 2 of 26
Page 3 of 26
Table of Contents
Introduction
1
Projected Collaboration and Information Assurance
2
Collaboration in the Extended Enterprise
3
Evolving Manufacturing Information Infrastructure
4
Three Components for Better Information Assurance
5
Roadblocks in Information Assurance
8
Cost of Information Assurance Model
9
Sensitivity Analysis
12
Finding the Appropriate Assurance Policy
15
Four Building Blocks for Optimal Information Assurance
16
Benefits of Information Assurance
17
Key Recommendations
18
Summary
19
About NCMS
20
End Notes
23
Page 4 of 26
EXECUTIVE SUMMARY
Most manufacturers employ some form of best practices method to allocate financial and
human resources to achieve what they perceive as an adequate level Information Assurance.
However, sole reliance on best practices may result in inappropriate spending decisions by
focusing on practices regardless of applicability to a company’s actual context of critical
assets and risks. Best practices may serve as an effective means of jump-starting the process
of improving security; however, in the long term companies are left unnesessarily
vulnerable when they strive to be the modest “above average.”1
NCMS formulated the Cost of Information Assurance model and framework as an
alternative approach to quantifying reasonable expectations for Information Assurance costs
which accounts for additional risks of increasing collaboration in supply chain and e-
Manufacturing strategies. Collaboration based business processes promise significant gains
in profitability, market share and shareholder value to effective practitioners in most
industries. At the same time, increased sharing of information, largely across the In