This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Stefan Fenz Articles by Andreas Ekelhart

Verification, Validation, and Evaluation in Information Security Risk Management

March/April 2011 (vol. 9 no. 2)

pp. 58-65

1. W. Baker and L. Wallace, "Is Information Security Under Control? Investigating Quality in Information Security Management," IEEE Security & Privacy, vol. 5, no. 1, 2007, pp. 36–44.
2. G. Stoneburner, A. Goguen, and A. Feringa, "Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology," special publication 800-30, NIST, 2002; http://csrc.nist.gov/publications/nistpubs/ 800-30sp800-30.pdf.
3. L. Bodin, L. Gordon, and M. Loeb, "Information Security and Risk Management," Comm. ACM, vol. 51, no. 4, 2008, pp. 64–68.
4. H. Cavusoglu, B. Mishra, and S. Raghunathan, "A Model for Evaluating IT Security Investments," Comm. ACM, vol. 47, no. 3, 2004, pp. 87–92.
5. S. Smith and E. Spafford, "Grand Challenges in Information Security: Process and Output," IEEE Security & Privacy, vol. 2, no. 1, 2004, pp. 69–71.
6. R. Baskerville, "Risk Analysis as a Source of Professional Knowledge," Computers & Security, vol. 10, no. 9, 1991, pp. 749–764.
7. G. Cybenko, "Why Johnny Can't Evaluate Security Risk," IEEE Security & Privacy, vol. 4, no. 1, 2006, p. 5.
8. D.R. Wallace et al., "Reference Information for the Software Verification and Validation Process," special publication 500-234, NIST, 1996; http://hissa.nist.gov/HHRFdata/Artifacts/ ITLdoc/234val-proc.html.
9. J.A. Wentworth, R. Knaus, and H. Aougab, "Verification, Validation and Evaluation of Expert Systems," US Dept. Transportation, 1995.
10. K. Peffers and Y. Tang, "Identifying and Evaluating the Universe of Outlets for Information Systems Research: Ranking the Journals," J. Information Technology Theory and Application, vol. 5, no. 1, 2003, pp. 63–84.
11. L. Sun, R.P. Srivastava, and T.J. Mock, "An Information Systems Security Risk Assessment Model under the Dempster-Shafer Theory of Belief Functions," J. Management Information Systems, vol. 22, no. 4, 2006, pp. 109–142.
12. R. Kumar, R. Park, and C. Subramaniamr, "Understanding the Value of Countermeasure Portfolios in Information Systems Security," J. Management Information Systems, vol. 25, 2008, pp. 241–280.
13. M.S. Feather et al., "Applications of Tool Support for Risk-Informed Requirements Reasoning," Int'l J. Computer Systems Science & Engineering, vol. 20, no. 1, 2005, pp. 5–17.
14. M. Sahinoglu, "Security Meter: A Practical Decision-Tree Model to Quantify Risk," IEEE Security & Privacy, vol. 3, no. 3, 2005, pp. 18–24.
15. S. Smithson and R. Hirschheim, "Analysing Information Systems Evaluation: Another Look at an Old Problem," European J. Information Systems, vol. 7, no. 3, 1998, pp. 158–174.
16. D. Straub and R. Welke, "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, vol. 22, no. 4, 1998, pp. 441–469.
17. M. Benaroch, Y. Lichtenstein, and K. Robinson, "Real Options in Information Technology Risk Management: An Empirical Validation of Risk-Option Relationships," MIS Quarterly, vol. 30, no. 4, 2006, pp. 827–864.