Issue No.03 - May/June (2009 vol.7)
M. Eric Johnson , Dartmouth College
Eric Goetz , Dartmouth College
Shari Lawrence Pfleeger , RAND Corporation
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.77
Although security professionals have long talked about risk, moving an organization from a "security" mindset to one that thoughtfully considers information risk is a challenge. Managing information risk means building risk analysis into every business decision. The authors explore how chief information security officers (CISOs) of large firms are working to move the conversation from security toward information risk. CISOs face many organizational challenges, but they widely agreement that action plans must include risk categorization, communication, and measurement.
information risk, security, CISO, organizational, chief information security officer
M. Eric Johnson, Eric Goetz, Shari Lawrence Pfleeger, "Security through Information Risk Management", IEEE Security & Privacy, vol.7, no. 3, pp. 45-52, May/June 2009, doi:10.1109/MSP.2009.77