Abstract
Use the new PCR risk metric to find ways to enhance security, avoiding one-dimensional metrics like ALE that could risk an organization's survivability.
- Bodin, L., Gordon, L., and Loeb, M. Evaluating information security investments using the analytic hierarchy. Commun. ACM 48, 2 (Feb. 2005), 461--485. Google ScholarDigital Library
- Gordon, L. and Loeb, M. Budgeting process for information security expenditures: Empirical evidence. Commun. ACM 49, 1 (Jan. 2006), 121--125. Google ScholarDigital Library
- Gordon, L. and Loeb, M. Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw-Hill, New York, 2006. Google ScholarDigital Library
- Gordon, L., Loeb, M., and Lucyshyn, W. Sharing information on computer systems: An economic analysis. Journal of Accounting and Public Policy 22, 6 (Nov.-Dec. 2003), 461--485.Google Scholar
- Gordon, L., Loeb, M., and Sohail, T. A framework for using insurance for cyber risk management. Commun. ACM 46, 3 (Mar. 2003), 81--85. Google ScholarDigital Library
- Gordon, L. and Loeb, M. The economics of investment in information security. ACM Transactions on Information and System Security 5, 4 (Nov. 2002), 438--457. Google ScholarDigital Library
- Gordon, L. and Loeb, M. A framework for using information security as a response to competitor analysis systems. Commun. ACM 44, 9 (Sept. 2001), 70--75. Google ScholarDigital Library
- Saaty, T. The Analytic Hierarchy Process. McGraw-Hill, New York, 1980.Google Scholar
Index Terms
- Information security and risk management
Recommendations
Performance Metrics for Information Security Risk Management
Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring ...
Taxonomy of information security risk assessment (ISRA)
Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Comments