This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Choosing a Security Option: The InfoSecure Methodology
September/October 2008 (vol. 10 no. 5)
pp. 46-52
Shari Lawrence Pfleeger, RAND Corporation
Thomas Ciszek, Pardee RAND Graduate School of Public Policy
This article presents a four-step process for evaluating assets to be protected, potential assailants, and likely methods and tactics. It puts the results together as a plan of action for investing in cybersecurity in ways that protect the most critical organizational information and processes. The process differs from earlier attempts to value security because it's based on an ordinal ranking, not on absolute dollar values for security. Moreover, it associates with each investment option an argument for why the investment should be made.

1. W. Jackson, "How Do You Put a Value on Security?" Government Computer News,5 Oct. 2006; www.gcn.com/online/vol1_no142229-1.html.
2. M. Kiaer, "The Business Value of Security," Microsoft, 2005; www.microsoft.com/technet/community/columns/ secmvpsv0605.mspx.
3. L. Carin, G. Cybenko, and J. Hughes, "Cybersecurity Strategies: The QuERIES Methodology," Computer, vol. 41, no. 8, 2008, pp. 20–26.
4. P. Kertzner, J. Watters, and D. Bodeau, Process Control System Security Technical Risk Assessment Methodology and Technical Implementation, tech. report, MITRE/I3P, May 2006.
5. P. Antón et al., Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology, tech. report MR-1601, RAND Corp., 2003; www.rand.org/pubs/monograph_reportsMR1601 .
6. F. Zahedi, "Group Consensus Estimation When Preferences Are Uncertain," Operations Research, vol. 34, no. 6, 1986, pp. 383–394.
7. O. Helmer-Herschberg, Analysis of the Future: The Delphi Method, tech. report P-3704, RAND Corp., 1967; www.rand.org/pubs/papersP3558.
8. R. Clewley, "Animated Response to Security," Wired,27 Mar. 2001; www.wired.com/print/culture/lifestyle/news/ 2001/0342578.
9. P. Bowen, J. Hash, and M. Wilson, Information Security Handbook: A Guide for Managers, National Institute for Standards and Technology, tech. report SP-800-100, US Nat'l Inst. Standards and Technology, 2007; http://csrc.nist.gov/publications/nistpubs/ 800-100SP800-100-Mar072007.pdf.
10. B. Kitchenham et al., "A Case Study of Maintenance Estimation Accuracy," J. Systems and Software, vol. 64, no. 1, 2002, pp. 55–77.

Index Terms:
security, investment, process, information technology
Citation:
Shari Lawrence Pfleeger, Thomas Ciszek, "Choosing a Security Option: The InfoSecure Methodology," IT Professional, vol. 10, no. 5, pp. 46-52, Sept.-Oct. 2008, doi:10.1109/MITP.2008.97
Usage of this product signifies your acceptance of the Terms of Use.