Issue No. 03 - May/June (2009 vol. 7)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.77
M. Eric Johnson , Dartmouth College
Shari Lawrence Pfleeger , RAND Corporation
Eric Goetz , Dartmouth College
Although security professionals have long talked about risk, moving an organization from a "security" mindset to one that thoughtfully considers information risk is a challenge. Managing information risk means building risk analysis into every business decision. The authors explore how chief information security officers (CISOs) of large firms are working to move the conversation from security toward information risk. CISOs face many organizational challenges, but they widely agreement that action plans must include risk categorization, communication, and measurement.
information risk, security, CISO, organizational, chief information security officer
M. Eric Johnson, Shari Lawrence Pfleeger, Eric Goetz, "Security through Information Risk Management", IEEE Security & Privacy, vol. 7, no. , pp. 45-52, May/June 2009, doi:10.1109/MSP.2009.77