Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/emerald-publishing/optimizing-investment-decisions-in-selecting-information-security-w3XlhSW3dN
References (37)
-
T. Shigematsu, Bin-Hui Chou, Y. Hori, K. Sakurai (2008)
Methodology for Evaluating Information Security Countermeasures of a System2008 International Conference on Information Security and Assurance (isa 2008)
-
Lawrence Gordon, Martin Loeb (2002)
The economics of information security investment -
S. Vidalis, A. Jones
Using vulnerability trees for decision making in threat assessment -
Huseyin Cavusoglu, B. Mishra, Srinivasan Raghunathan (2004)
A model for evaluating IT security investmentsCommun. ACM, 47
-
Donald Buckshaw, G. Parnell, Willard Unkenholz, Donald Parks, J. Wallner, O. Saydjari (2005)
Mission Oriented Risk and Design Analysis of Critical Information SystemsMilitary Operations Research, 10
-
Richard Caralli, W. Wilson (2004)
The Challenges of Security Management -
R. Richardson
CSI Computer Crime and Security Survey -
C. Moore (2004)
The growing trend of government involvement in IT security -
Krzysztof Lisek (2007)
Integrated, BusinessOriented, TwoStage Risk Analysis -
Qi-rong Qiu, Zhi Pan, Wunien Peng (2008)
An Optimization Model of Product selection in Information Security Technology System2009 First International Workshop on Education Technology and Computer Science, 1
-
L. Bodin, Lawrence Gordon, Martin Loeb (2005)
Evaluating information security investments using the analytic hierarchy processCommun. ACM, 48
-
I. Flechais, C. Mascolo, M. Sasse (2007)
Integrating security and usability into the requirements and design processInt. J. Electron. Secur. Digit. Forensics, 1
-
A. Lamsweerde (2004)
Elaborating security requirements by construction of intentional anti-modelsProceedings. 26th International Conference on Software Engineering
-
A. Martins, J.H.P. Eloff
Measuring information security -
J. Duffany (2007)
Optimal resource allocation for securing an enterprise information infrastructure -
U. Lindqvist, P. Kaijser, E. Jonsson (1998)
The Remedy Dimension of Vulnerability Analysis -
A. Arora, Dennis Hall, C. Pinto, Dwayne Ramsey, Rahul Telang (2004)
Measuring the risk-based value of IT security solutionsIT Professional, 6
-
Fariborz Farahmand, J. William, B. Shamkant, H. Philip (2003)
Security Tailored to the Needs of Business -
Zikai Wang, Haitao Song (2008)
Towards an Optimal Information Security Investment Strategy2008 IEEE International Conference on Networking, Sensing and Control
-
Premkumar Devanbu, S. Stubblebine (2000)
Software engineering for security: a roadmap -
T. Nakajo, H. Kume
The principles of fool proofing and their application in manufacturing -
Ken Buszta (2008)
Challenges in Certification and AccreditationIT Professional, 10
-
T. Sakuraba, S. Domyo, Bin-Hui Chou, K. Sakurai (2006)
Exploring Security Countermeasures along the Attack Sequence2008 International Conference on Information Security and Assurance (isa 2008)
-
B. Blakley, Ellen McDermott, Daniel Geer (2001)
Information security is information risk management -
Stefano Bistarelli, F. Fioravanti, Pamela Peretti (2006)
Defense trees for economic evaluation of security investmentsFirst International Conference on Availability, Reliability and Security (ARES'06)
-
D. Gilliam (2004)
Security risks: management and mitigation in the software life cycle13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
-
Fariborz Farahmand, S. Navathe, P. Enslow, G. Sharp (2003)
Managing vulnerabilities of information systems to security incidents -
S. Butler (2002)
Technical papers: Software evaluation: Security attribute evaluation method: a cost-benefit approach -
10.1145/581339.581370
-
S.A. Butler
Security attribute evaluation method: a cost‐benefit approach -
Jun Heo, Jong-Whoi Shin, H. Kim, DongHoon Shin, G. Lee, Jae-il Lee (2007)
A Study for a New IT Service Information Protection Framework2007 Second International Conference on Systems and Networks Communications (ICSNC 2007)
-
L. Lin, B. Nuseibeh, D. Ince, M. Jackson, J. Moffett
Introducing abuse frames for analyzing security requirements -
S. Harris (2003)
Cissp Certification Exam Guide -
J. Caulkins, Eric Hough, N. Mead, Hassan Osman (2007)
Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed BudgetsIEEE Security & Privacy, 5
-
Rok Bojanc, B. Jerman-Blazic (2008)
Standard Approach for Quantification of the ICT Security Investment for Cybercrime PreventionSecond International Conference on the Digital Society
-
Russell Jones, Abhinav Rastogi (2004)
Secure Coding: Building Security into the Software Development Life CycleInformation Systems Security, 13
-
T. Neubauer, C. Stummer, E. Weippl (2006)
Workshop-based multiobjective security safeguard selectionFirst International Conference on Availability, Reliability and Security (ARES'06)
- Publisher
- Emerald Publishing
- Copyright
- Copyright © 2011 Emerald Group Publishing Limited. All rights reserved.
- ISSN
- 0968-5227
- DOI
- 10.1108/09685221111143042
- Publisher site
- See Article on Publisher Site
Abstract
Purpose – This paper proposes a new framework for optimizing investment decisions when deciding about information security remedies. Design/methodology/approach – The framework assumes that the organization is aware of a set of remedies that can be employed to address end‐effects that have been identified. The framework also assumes that the organization defines its information security policy by setting a minimum level of protection for each end‐effect. Given the two sets of costs, that of the end‐effect and the potential damage it can cause and that of the remedy and the required level of protection from each end‐effect, this framework can be used to identify the optimal set of remedies for a given budget that complies with the organization's information security policy. The framework is illustrated using a practical example concerning investment decision optimization in a financial organization. Findings – The paper shows that exhausting the information security budget does not assure a higher level of security required by the organisation. Practical implications – Concentrating on end‐effects and on the organizational requirements eases the process of remedy selection. The proposed methodology circumvents the common process of assuming probabilities of information security events. Originality/value – This research proposes a practical and an easily implementable framework, enabling the information security manager to align the information security remedies and best practice methodological requirements with organizational budget constraints and business requirements while maintaining a required level of security.
Journal
Information Management & Computer Security – Emerald Publishing
Published: Jun 7, 2011
Keywords: Data security; Investments; Information management