The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.05 - September/October (2008 vol.6)
pp: 38-44
Julie J.C.H. Ryan , George Washington University
Daniel J. Ryan , National Defense University
ABSTRACT
Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring reductions in expected loss.
INDEX TERMS
risk management, information security, security and protection, security metrics
CITATION
Julie J.C.H. Ryan, Daniel J. Ryan, "Performance Metrics for Information Security Risk Management", IEEE Security & Privacy, vol.6, no. 5, pp. 38-44, September/October 2008, doi:10.1109/MSP.2008.125
REFERENCES
1. T. DeMarco, Controlling Software Projects: Management, Measurement &Estimation, Yourdon Press, 1982, p. 3.
2. J.J.C.H. Ryan and T.I. Jefferson, "The Use, Misuse, and Abuse of Statistics in Information Security Research," Managing Technology in a Dynamic World: Proc. 2003 Am. Soc. for Eng. Management Conf., 2003, pp. 644–653.
3. W. Ozier, "Risk Metrics Needed for IT Security," ITAudit, vol. 6, 1 Apr. 2003; www.theiia.org/itauditindex.cfm?fuseaction=forum&fid=5396 .
4. A. Jaquith, Security Metrics: Replacing Fear, Uncertainty and Doubt, Addison-Wesley, 2007.
5. D.S. Herrmann, Complete Guide to Security and Privacy Metrics, Auerbach Publications, 2007.
6. L.A. Gordon and M.P. Loeb, "The Economics of Information Security Investment," ACM Trans. Information and System Security, vol. 5, no. 4, Nov. 2002, pp. 438–457.
7. J.D. Kalbfleish and R.L. Prentice, The Statistical Analysis of Failure-Time Data, 2nd ed., Wiley, 2002.
8. J.M. Lachin, Biostatistical Methods: The Assessment of Relative Risks, John Wiley &Sons, 2000, pp. 5–31.
9. J.J.C.H. Ryan and D. Ryan, "Proportional Hazards in Information Security," Risk Analysis, vol. 25, no. 1, 2005, pp. 139–147.
10. T.M. Therneau and P.M. Grambsch, Modeling Survival Data: Extending the Cox Model, Springer, 2000.
11. D. Collett, Modelling Survival Data in Medical Research, 2nd ed., Chapman &Hall/CRC, 2003, pp. 45–47.
12. N. Mantel and W. Haenszel, "Statistical Aspects of the analysis of Data from Retrospective Studies of Disease," J. Nat'l Cancer Inst., vol. 22, 1959, pp. 719–748.
13. J. Cornfield, "A Method of Estimating Comparative Rates from Clinical Data: Applications to Cancer of the Lung, Breast, and Cervix," J. Nat'l Cancer Inst., vol. 11, 1951, pp. 1269–1275.
14. J. Cornfield, "A Statistical Problem Arising from Retrospective Studies," Proc. 3rd Berkley Symp. Mathematical Statistical Probability, 1956, pp. 135–148.
15. C.J. Clopper and E.S. Pearson, "The Use of Confidence or Fiducial Limits Illustrated in the Case of the Binomial," Biometrika, vol. 26, Dec. 1934, pp. 404–413.
16. M. Swanson et al., Security Metrics Guide for Information Technology Systems: Special Publication 800-55, US Nat'l Inst. of Standards and Technology, July 2003, pp. 1–12.
6 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool