The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - May/June (2009 vol.7)
pp: 45-52
M. Eric Johnson , Dartmouth College
Eric Goetz , Dartmouth College
Shari Lawrence Pfleeger , RAND Corporation
ABSTRACT
Although security professionals have long talked about risk, moving an organization from a "security" mindset to one that thoughtfully considers information risk is a challenge. Managing information risk means building risk analysis into every business decision. The authors explore how chief information security officers (CISOs) of large firms are working to move the conversation from security toward information risk. CISOs face many organizational challenges, but they widely agreement that action plans must include risk categorization, communication, and measurement.
INDEX TERMS
information risk, security, CISO, organizational, chief information security officer
CITATION
M. Eric Johnson, Eric Goetz, Shari Lawrence Pfleeger, "Security through Information Risk Management", IEEE Security & Privacy, vol.7, no. 3, pp. 45-52, May/June 2009, doi:10.1109/MSP.2009.77
REFERENCES
1. M.E. Johnson, "A Broader Context for Information Security," Financial Times,16 Sept. 2005, p. 4.
2. M.E. Johnson, "Information Risk of Inadvertent Disclosure: An Analysis of File-Sharing Risk in the Financial Supply Chain," J. Management Information Systems, vol. 25, no. 2, 2008, pp. 97–123.
3. A. Beautement et al., "Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security," Managing Information Risk and the Economics of Security, M.E. Johnson ed., Springer Science+Business Media, 2009, pp. 141–162.
4. S. Romanosky, R. Telang, and A. Acquisti, "Do Data Breach Disclosure Laws Reduce Identity Theft?" Proc. 7th Workshop Economics of Information Security (WEIS 08), Workshop Economics of Information Security, 2008; http://weis2008.econinfosec.org/papersRomanosky.pdf .
5. R. Anderson and T. Moore, "The Economics of Information Security," Science, vol. 314, no. 5799, 2006, pp. 610–613.
6. W.S. Baer and A. Parkinson, "Cyber Insurance in IT Security Management," IEEE Security &Privacy, vol. 5, no. 3, 2007, pp. 50–56.
7. S.L. Pfleeger and R. Rue, "Cybersecurity Economic Issues: Clearing the Path to Good Practice," IEEE Software, vol. 25, no. 1, 2008, pp. 35–42.
8. L.A. Gordon and M.P. Loeb, "Budgeting Process for Information Security Expenditures," Comm. ACM, vol. 49, no. 1, 2006, pp. 121–125.
9. M.E. Johnson and E. Goetz, "Embedding Information Security into the Organization," IEEE Security &Privacy, vol. 5, no. 3, 2007, pp. 16–24.
10. S.L. Pfleeger, M. Libicki, and M. Webber, "I'll Buy That! Cybersecurity in the Internet Marketplace," IEEE Security &Privacy, vol. 5, no. 3, 2007, pp. 25–31.
11. B. Schneier, "Psychology of Security," Proc. Interdisciplinary Workshop Security and Human Behaviour, MIT, 2008; www.cl.cam.ac.uk/~rja14shb08/.
12. E. Andrijcic and B. Horowitz, "A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property," Risk Analysis, vol. 26, no. 4, 2006, pp. 907–923.
13. D. Rosenblum, "What Anyone Can Know: The Privacy Risks of Social Networking Sites," IEEE Security &Privacy, vol. 5, no. 3, 2007, pp. 40–49.
20 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool