research-article

Free Access

Information security and risk management

Authors:
Lawrence D. Bodin

University of Maryland, College Park, MD

University of Maryland, College Park, MD
View Profile

,
Lawrence A. Gordon

University of Maryland Institute for Advanced Computer Studies

University of Maryland Institute for Advanced Computer Studies
View Profile

,
Martin P. Loeb

University of Maryland Institute for Advanced Computer Studies

University of Maryland Institute for Advanced Computer Studies
View Profile

Authors Info & Claims

Communications of the ACM Volume 51 Issue 4April 2008pp 64–68https://doi.org/10.1145/1330311.1330325

Published:01 April 2008Publication History

Communications of the ACM

Abstract

Use the new PCR risk metric to find ways to enhance security, avoiding one-dimensional metrics like ALE that could risk an organization's survivability.

References

Bodin, L., Gordon, L., and Loeb, M. Evaluating information security investments using the analytic hierarchy. Commun. ACM 48, 2 (Feb. 2005), 461--485. Google ScholarDigital Library
Gordon, L. and Loeb, M. Budgeting process for information security expenditures: Empirical evidence. Commun. ACM 49, 1 (Jan. 2006), 121--125. Google ScholarDigital Library
Gordon, L. and Loeb, M. Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, New York, 2006. Google ScholarDigital Library
Gordon, L., Loeb, M., and Lucyshyn, W. Sharing information on computer systems: An economic analysis. Journal of Accounting and Public Policy 22, 6 (Nov.-Dec. 2003), 461--485.Google Scholar
Gordon, L., Loeb, M., and Sohail, T. A framework for using insurance for cyber risk management. Commun. ACM 46, 3 (Mar. 2003), 81--85. Google ScholarDigital Library
Gordon, L. and Loeb, M. The economics of investment in information security. ACM Transactions on Information and System Security 5, 4 (Nov. 2002), 438--457. Google ScholarDigital Library
Gordon, L. and Loeb, M. A framework for using information security as a response to competitor analysis systems. Commun. ACM 44, 9 (Sept. 2001), 70--75. Google ScholarDigital Library
Saaty, T. The Analytic Hierarchy Process. McGraw-Hill, New York, 1980.Google Scholar

Index Terms

Information security and risk management

Recommendations

Performance Metrics for Information Security Risk Management

Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring ...
Read More
Taxonomy of information security risk assessment (ISRA)

Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Read More
Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

Communications of the ACM Volume 51, Issue 4
The psychology of security: why do good users make bad decisions?
April 2008
94 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/1330311
Issue’s Table of Contents

Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 April 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
- Popular
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 66
  Total Citations
  View Citations
- 4,448
  Total Downloads
- Downloads (Last 12 months)146
- Downloads (Last 6 weeks)42
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Information security and risk management

Communications of the ACM

Abstract

References

Cited By

Index Terms

Recommendations

Performance Metrics for Information Security Risk Management

Taxonomy of information security risk assessment (ISRA)

Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

HTML Format

Caption

Information security and risk management

Communications of the ACM

Abstract

References

Cited By

Index Terms

Recommendations

Performance Metrics for Information Security Risk Management

Taxonomy of information security risk assessment (ISRA)

Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

HTML Format

Share this Publication link

Share on Social Media