论文信息 - Three Case Studies in Quantitative Information Risk Analysis

Three Case Studies in Quantitative Information Risk Analysis

In this paper, we build on existing literature and on a dialog with several decision-making partners (e.g., CISOs) to propose a simple methodology to quantitatively assess the value of security. We use this methodology to provide quantitative data gathered from three case studies of real organizations. The vastly different results we obtain across the three organizations considered emphasize the dependence between the security investments and the nature of the organization implementing them.

Nicolas Christin | Mohammed A. Bashir

[1] Ding Tan. Quantitative Risk Analysis Step-By-Step , 2003 .

[2] Rahul Telang,et al. Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[3] Lawrence A. Gordon,et al. A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[4] Thomas Peltier,et al. Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[5] Daniel E. Geer,et al. Information Security: Why the Future Belongs to the Quants , 2003, IEEE Secur. Priv..