论文信息 - Factors in the selection of a risk assessment method

Factors in the selection of a risk assessment method

A risk assessment method is used to carry out a risk assessment for an organization’s information security. Currently, there are many risk assessment methods from which to choose, each exhibiting a variety of problems. For example, methods may take a long time to perform, may rely on subjective estimates for the security input data, may rely heavily on quantification of financial loss due to vulnerability, or may be costly to purchase and use. Discusses requirements for an ideal risk assessment method, and develops and evaluates factors to be considered in the selection method. Empirical research was carried out at two large, Australian organizations, in order to determine and validate factors. These factors should be of use to organizations in the evaluation, selection or development of a risk assessment method. Interesting conclusions are drawn about decision making in organizational information security.

Sharman Lichtenstein | S. Lichtenstein

[1] David G. W. Birch,et al. Risk analysis for Information Systems , 1992, J. Inf. Technol..

[2] L.J. Hoffman,et al. CERTS: a comparative evaluation method for risk management methodologies and tools , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[3] RICHAFID BASKERVILLE,et al. Information systems security design methods: implications for information systems development , 1993, CSUR.

[4] Muninder P. Kailay,et al. An application of qualitative risk analysis to computer security for the commercial sector , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[5] Steve Watt,et al. Managing information security : a non-technical management guide , 1990 .

[6] Richard Baskerville,et al. Risk analysis as a source of professional knowledge , 1991, Comput. Secur..

[7] D.G.W. Birch. An information-driven approach to network security , 1992 .

[8] D. J. Bodeaum,et al. A conceptual model for computer security risk analysis , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[9] Dennis Longley,et al. The Risk Data Repository: A Novel Approach to Security Risk Modelling , 1993, SEC.

[10] Jan H. P. Eloff,et al. A comparative framework for risk analysis methods , 1993, Comput. Secur..

[11] W. Caelli,et al. Information Security Handbook , 1991 .