This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Performance Metrics for Information Security Risk Management
September/October 2008 (vol. 6 no. 5)
pp. 38-44
Julie J.C.H. Ryan, George Washington University
Daniel J. Ryan, National Defense University
Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring reductions in expected loss.

1. T. DeMarco, Controlling Software Projects: Management, Measurement &Estimation, Yourdon Press, 1982, p. 3.
2. J.J.C.H. Ryan and T.I. Jefferson, "The Use, Misuse, and Abuse of Statistics in Information Security Research," Managing Technology in a Dynamic World: Proc. 2003 Am. Soc. for Eng. Management Conf., 2003, pp. 644–653.
3. W. Ozier, "Risk Metrics Needed for IT Security," ITAudit, vol. 6, 1 Apr. 2003; www.theiia.org/itauditindex.cfm?fuseaction=forum&fid=5396 .
4. A. Jaquith, Security Metrics: Replacing Fear, Uncertainty and Doubt, Addison-Wesley, 2007.
5. D.S. Herrmann, Complete Guide to Security and Privacy Metrics, Auerbach Publications, 2007.
6. L.A. Gordon and M.P. Loeb, "The Economics of Information Security Investment," ACM Trans. Information and System Security, vol. 5, no. 4, Nov. 2002, pp. 438–457.
7. J.D. Kalbfleish and R.L. Prentice, The Statistical Analysis of Failure-Time Data, 2nd ed., Wiley, 2002.
8. J.M. Lachin, Biostatistical Methods: The Assessment of Relative Risks, John Wiley &Sons, 2000, pp. 5–31.
9. J.J.C.H. Ryan and D. Ryan, "Proportional Hazards in Information Security," Risk Analysis, vol. 25, no. 1, 2005, pp. 139–147.
10. T.M. Therneau and P.M. Grambsch, Modeling Survival Data: Extending the Cox Model, Springer, 2000.
11. D. Collett, Modelling Survival Data in Medical Research, 2nd ed., Chapman &Hall/CRC, 2003, pp. 45–47.
12. N. Mantel and W. Haenszel, "Statistical Aspects of the analysis of Data from Retrospective Studies of Disease," J. Nat'l Cancer Inst., vol. 22, 1959, pp. 719–748.
13. J. Cornfield, "A Method of Estimating Comparative Rates from Clinical Data: Applications to Cancer of the Lung, Breast, and Cervix," J. Nat'l Cancer Inst., vol. 11, 1951, pp. 1269–1275.
14. J. Cornfield, "A Statistical Problem Arising from Retrospective Studies," Proc. 3rd Berkley Symp. Mathematical Statistical Probability, 1956, pp. 135–148.
15. C.J. Clopper and E.S. Pearson, "The Use of Confidence or Fiducial Limits Illustrated in the Case of the Binomial," Biometrika, vol. 26, Dec. 1934, pp. 404–413.
16. M. Swanson et al., Security Metrics Guide for Information Technology Systems: Special Publication 800-55, US Nat'l Inst. of Standards and Technology, July 2003, pp. 1–12.
1. National Defense Authorization Act for Fiscal Year 1996, Public Law No. 104–106, sections D and E, US Statutes at Large, 1996.
2. Omnibus Consolidated Appropriations Act, Public Law No. 104–208, US Statutes at Large, 1997.
3. Government Performance and Results Act, Public Law No. 103-62, US Statutes at Large, 1993.
4. E-Government Act, Public Law No. 107–347, Title III, US Statutes at Large, 2002.
5. M. Swanson et al., Security Metrics Guide for Information Technology Systems: Special Publication 800-55, US Nat'l Inst. of Standards and Technology, July 2003, pp. 1–12.

Index Terms:
risk management, information security, security and protection, security metrics
Citation:
Julie J.C.H. Ryan, Daniel J. Ryan, "Performance Metrics for Information Security Risk Management," IEEE Security & Privacy, vol. 6, no. 5, pp. 38-44, Sept.-Oct. 2008, doi:10.1109/MSP.2008.125
Usage of this product signifies your acceptance of the Terms of Use.