Issue No. 03 - May/June (2009 vol. 7)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.77
M. Eric Johnson , Dartmouth College
Eric Goetz , Dartmouth College
Shari Lawrence Pfleeger , RAND Corporation
Although security professionals have long talked about risk, moving an organization from a "security" mindset to one that thoughtfully considers information risk is a challenge. Managing information risk means building risk analysis into every business decision. The authors explore how chief information security officers (CISOs) of large firms are working to move the conversation from security toward information risk. CISOs face many organizational challenges, but they widely agreement that action plans must include risk categorization, communication, and measurement.
information risk, security, CISO, organizational, chief information security officer
M. E. Johnson, S. L. Pfleeger and E. Goetz, "Security through Information Risk Management," in IEEE Security & Privacy, vol. 7, no. , pp. 45-52, 2009.