Necessary measures - Metric-driven information security risk assessment and decision making

被引:18
作者
Baker, Wade H. [1 ]
Rees, Loren Paul
Tippett, Peter S.
机构
[1] Virginia Tech, Blacksburg, VA 24061 USA
[2] Virginia Tech, Dept Business Informat Technol, Blacksburg, VA USA
[3] ICSA Labs, Mechanicsburg, PA USA
关键词
D O I
10.1145/1290958.1290969
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
Measurable, reliable real-world metrics are being used to improve information security decision making. Management is identifying and understanding the threats facing the organization to be able to take systematic action to reduce risk. Various taxonomies using a variety of techniques have been proposed to classify and systematize threats to information security. Security initiatives are more commonly driven by compliance mandates than by the principles of risk management. A more reasoned approach to measure and model security factors, including carefully delineating threats, gathering impact and financial loss data, and calculating reduced vulnerability through countermeasures, is required. Improved analysis and decision making should be expected to follow after taking these necessary measures.
引用
收藏
页码:101 / 106
页数:6
相关论文
共 11 条
[1]  
[Anonymous], 1998, SAND988667
[2]  
BERINATO S, 2003, CIO MAGAZINE, V17, P2
[3]   A model for evaluating IT security investments [J].
Cavusoglu, H ;
Mishra, B ;
Raghunathan, S .
COMMUNICATIONS OF THE ACM, 2004, 47 (07) :87-92
[4]   The effect of Internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers [J].
Cavusoglu, H ;
Mishra, B ;
Raghunathan, S .
INTERNATIONAL JOURNAL OF ELECTRONIC COMMERCE, 2004, 9 (01) :69-104
[5]   ORGANIZATIONAL INFORMATION REQUIREMENTS, MEDIA RICHNESS AND STRUCTURAL DESIGN [J].
DAFT, RL ;
LENGEL, RH .
MANAGEMENT SCIENCE, 1986, 32 (05) :554-571
[6]  
Gordon L. A., 2002, ACM Transactions on Information and Systems Security, V5, P438, DOI 10.1145/581271.581274
[7]  
JAISINGH J, 2001, P INF C INF SYST TEC
[8]   Coping with systems risk: Security planning models for management decision making [J].
Straub, DW ;
Welke, RJ .
MIS QUARTERLY, 1998, 22 (04) :441-469
[9]  
Swanson M.M., 2003, Security Metrics Guide for Information Technology Systems
[10]  
VERTON D, 2004, COMPUTERWORLD 0920