The Community for Technology Leaders
RSS Icon
Issue No.05 - September/October (2008 vol.10)
pp: 46-52
Shari Lawrence Pfleeger , RAND Corporation
Thomas Ciszek , Pardee RAND Graduate School of Public Policy
This article presents a four-step process for evaluating assets to be protected, potential assailants, and likely methods and tactics. It puts the results together as a plan of action for investing in cybersecurity in ways that protect the most critical organizational information and processes. The process differs from earlier attempts to value security because it's based on an ordinal ranking, not on absolute dollar values for security. Moreover, it associates with each investment option an argument for why the investment should be made.
security, investment, process, information technology
Shari Lawrence Pfleeger, Thomas Ciszek, "Choosing a Security Option: The InfoSecure Methodology", IT Professional, vol.10, no. 5, pp. 46-52, September/October 2008, doi:10.1109/MITP.2008.97
1. W. Jackson, "How Do You Put a Value on Security?" Government Computer News,5 Oct. 2006;
2. M. Kiaer, "The Business Value of Security," Microsoft, 2005; secmvpsv0605.mspx.
3. L. Carin, G. Cybenko, and J. Hughes, "Cybersecurity Strategies: The QuERIES Methodology," Computer, vol. 41, no. 8, 2008, pp. 20–26.
4. P. Kertzner, J. Watters, and D. Bodeau, Process Control System Security Technical Risk Assessment Methodology and Technical Implementation, tech. report, MITRE/I3P, May 2006.
5. P. Antón et al., Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology, tech. report MR-1601, RAND Corp., 2003; .
6. F. Zahedi, "Group Consensus Estimation When Preferences Are Uncertain," Operations Research, vol. 34, no. 6, 1986, pp. 383–394.
7. O. Helmer-Herschberg, Analysis of the Future: The Delphi Method, tech. report P-3704, RAND Corp., 1967;
8. R. Clewley, "Animated Response to Security," Wired,27 Mar. 2001; 2001/0342578.
9. P. Bowen, J. Hash, and M. Wilson, Information Security Handbook: A Guide for Managers, National Institute for Standards and Technology, tech. report SP-800-100, US Nat'l Inst. Standards and Technology, 2007; 800-100SP800-100-Mar072007.pdf.
10. B. Kitchenham et al., "A Case Study of Maintenance Estimation Accuracy," J. Systems and Software, vol. 64, no. 1, 2002, pp. 55–77.
495 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool