Access the full text.
Sign up today, get DeepDyve free for 14 days.
L. Bodin, Lawrence Gordon, Martin Loeb (2008)
Information security and risk managementCommun. ACM, 51
Lawrence Gordon, Martin Loeb (2002)
The economics of information security investment
Huseyin Cavusoglu, B. Mishra, Srinivasan Raghunathan (2004)
The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security DevelopersInternational Journal of Electronic Commerce, 9
B. Farquhar (1991)
One approach to risk assessmentComput. Secur., 10
Huseyin Cavusoglu, B. Mishra, Srinivasan Raghunathan (2004)
A model for evaluating IT security investmentsCommun. ACM, 47
Huseyin Cavusoglu, Srinivasan Raghunathan, W. Yue (2008)
Decision-Theoretic and Game-Theoretic Approaches to IT Security InvestmentJournal of Management Information Systems, 25
Hyeun-Suk Rhee, Young Ryu, Cheong-Tag Kim (2012)
Unrealistic optimism on information security managementComput. Secur., 31
Andreas Ekelhart, Stefan Fenz, T. Neubauer (2009)
AURUM: A Framework for Information Security Risk Management2009 42nd Hawaii International Conference on System Sciences
D. Straub, R. Welke (1998)
Coping With Systems Risk: Security Planning Models for Management Decision MakingMIS Q., 22
L. Bodin, Lawrence Gordon, Martin Loeb (2005)
Evaluating information security investments using the analytic hierarchy processCommun. ACM, 48
Rok Bojanc, B. Jerman-Blazic (2013)
A Quantitative Model for Information-Security Risk ManagementEngineering Management Journal, 25
D. Hubbard (2009)
The Failure of Risk Management: Why It's Broken and How to Fix It
A. Arora, Dennis Hall, C. Pinto, Dwayne Ramsey, Rahul Telang (2004)
Measuring the risk-based value of IT security solutionsIT Professional, 6
Craig Boutilier, R. Brafman, C. Domshlak, H. Hoos, D. Poole (2011)
CP-nets: A Tool for Representing and Reasoning withConditional Ceteris Paribus Preference StatementsArXiv, abs/1107.0023
Wes Sonnenreich, Jason Albanese, B. Stout (2005)
Return On Security Investment (ROSI) - A Practical Quantitative ModellJ. Res. Pract. Inf. Technol., 38
D. Vose (2000)
Risk Analysis: A Quantitative Guide
Daniel Feledi, Stefan Fenz (2012)
Challenges of Web-Based Information Security Knowledge Sharing2012 Seventh International Conference on Availability, Reliability and Security
Stefano Bistarelli, F. Fioravanti, Pamela Peretti (2007)
Using CP-nets as a guide for countermeasure selection
Yongheng Fang, Q. Liang, Z. Jia (2011)
Knowledge Sharing Risk Warning of Industry Cluster: an Engineering PerspectiveSystems Engineering Procedia, 2
Raydel Montesino, Stefan Fenz (2011)
Information Security Automation: How Far Can We Go?2011 Sixth International Conference on Availability, Reliability and Security
W. Jansen (2009)
Directions in Security Metrics Research
T. Rakes, J. Deane, L. Rees (2012)
IT security planning under uncertainty for high-impact eventsOmega-international Journal of Management Science, 40
Stefano Bistarelli, F. Fioravanti, Pamela Peretti (2006)
Defense trees for economic evaluation of security investmentsFirst International Conference on Availability, Reliability and Security (ARES'06)
M. May, K. Hoo (2000)
How much is enough? A risk management approach to computer security
T. Finne (1998)
A conceptual framework for information security managementComput. Secur., 17
S. Butler (2002)
Technical papers: Software evaluation: Security attribute evaluation method: a cost-benefit approach
R. Rainer, C. Snyder, H. Carr (1991)
Risk Analysis for Information TechnologyJ. Manag. Inf. Syst., 8
Stefan Fenz, Andreas Ekelhart, T. Neubauer (2009)
Business Process-Based Resource Importance Determination
Rok Bojanc, B. Jerman-Blazic (2008)
An economic modelling approach to information security risk managementInt. J. Inf. Manag., 28
Wenke Lee, Wei Fan, Matthew Miller, S. Stolfo, E. Zadok (2002)
Toward Cost-Sensitive Modeling for Intrusion Detection and ResponseJ. Comput. Secur., 10
T. Finne (1998)
The three categories of decision-making and information securityComput. Secur., 17
A. Ishizaka, Philippe Nemery (2013)
Analytic hierarchy process
R. Ross (2012)
Guide for Conducting Risk Assessments
Stefan Fenz, Andreas Ekelhart, E. Weippl (2008)
Fortification of IT Security by Automatic Security Advisory Processing22nd International Conference on Advanced Information Networking and Applications (aina 2008)
W. Baker, L. Rees, P. Tippett (2007)
Necessary measures: metric-driven information security risk assessment and decision makingCommun. ACM, 50
Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody (2003)
Introduction to the OCTAVE ® Approach
Stefan Fenz (2012)
Increasing knowledge capturing efficiency by enterprise portalsVine, 42
Stefan Fenz, Andreas Ekelhart (2009)
Formalizing information security knowledge
Purpose – The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results. Design/methodology/approach – To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback. Findings – As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need. Originality/value – The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.
Information Management & Computer Security – Emerald Publishing
Published: Nov 10, 2014
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
Copy and paste the desired citation format or use the link below to download a file formatted for EndNote
Access the full text.
Sign up today, get DeepDyve free for 14 days.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.