N. Dejdumrong, N. Anannavee, and T. Uttranadhi (Thailand)
Information Security, Information asset, Cost-Beneﬁt Analysis, Incident Response Plan.
In the current situation of world economic and political uncertainty, risk assessment and management of a company is inevitably required as an obligation not just an option. Information security assessment is an important component of an effective risk management process. This paper proposes a technique how business should determine its
information assets and justify the investments in information system protection by using the well-known technique called the cost-beneﬁt analysis (CBA). In order to examine the technique, one of the lubricating oils companies is selected as a case study. Its system is then assessed and the information assets are determined. The security weak
nesses or vulnerability of the systems have been deﬁned. Finally, some potential solutions were recommended to be implemented. An incident response management including its associated plans is also introduced as an application of information security assessment. The result from this research indicated that the CBA technique can be used as an effective tool to optimize the IT security investment and
prioritize the implementation.