Issue No.05 - September/October (2008 vol.6)
Julie J.C.H. Ryan , George Washington University
Daniel J. Ryan , National Defense University
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2008.125
Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring reductions in expected loss.
risk management, information security, security and protection, security metrics
Julie J.C.H. Ryan, Daniel J. Ryan, "Performance Metrics for Information Security Risk Management", IEEE Security & Privacy, vol.6, no. 5, pp. 38-44, September/October 2008, doi:10.1109/MSP.2008.125