HOW TO CALCULATE INFORMATION VALUE FOR EFFECTIVE SECURITY RISK ASSESSMENT

The actual problem of information security (infosec) risk assessment is determining the value of information property or asset. This is particularly manifested through the use of quantitative methodology in which it is necessary to state the information value in quantitative sizes. The aim of this paper is to describe the evaluation possibilities of business information values, and the criteria needed for determining importance of information. For this purpose, the dimensions of information values will be determined and the ways used to present the importance of information contents will be studied. There are two basic approaches that can be used in evaluation: qualitative and quantitative. Often they are combined to determine forms of information content. The proposed criterion is the three-dimension model, which combines the existing experiences (i.e. possible solutions for information value assessment) with our own criteria. An attempt for structuring information value in a business environment will be made as well.

[1]  Love Ekenberg,et al.  Handling Imprecise Information in Risk Management , 1995 .

[2]  Measuring intellectual assets , 2004 .

[3]  Tom Petrocelli,et al.  Data Protection and Information Lifecycle Management , 2005 .

[4]  Ralph Spencer Poore,et al.  Valuing Information Assets for Security Risk Management , 2000, Inf. Secur. J. A Glob. Perspect..

[5]  B. Sherwood Mather Computer Information Systems in Medical Practice , 1981 .

[6]  Julie D. Nosworthy A Practical Risk Analysis Approach: Managing BCM Risk , 2000, Comput. Secur..

[7]  Ralph Stair,et al.  Principles of information systems , 2014 .

[8]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[9]  Rossouw von Solms,et al.  From Risk Analysis to Security Requirements , 2001, Comput. Secur..

[10]  Richard L. Craft,et al.  An open framework for risk management , 1998 .

[11]  John McCumber,et al.  Assessing and Managing Security Risk in IT Systems , 2004 .

[12]  Amanda Andress,et al.  Surviving Security: How to Integrate People, Process, and Technology, Second Edition , 2001 .

[13]  Catherine L. Mann,et al.  Measuring the Impact , 2003 .

[14]  Daniel L. Moody,et al.  Measuring the Value Of Information - An Asset Valuation Approach , 1999, ECIS.

[15]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[16]  Albert Jones,et al.  Measuring the Impact of Information on Complex Systems , 2001 .

[17]  Reed M. Gardner,et al.  Measuring the Value of Information Systems , 1984 .

[18]  Fred Cohen,et al.  Managing network security - Part 5: Risk management or risk analysis , 1997 .

[19]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[20]  Zbigniew Ciechanowicz Risk analysis: requirements, conflicts and problems , 1997, Comput. Secur..

[21]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[22]  Marianne Swanson,et al.  SP 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems , 1996 .