Balancing cooperation and risk in intrusion detection
ACM Transactions on Information and System Security (TISSEC)
A cost-based framework for analysis of denial of service in networks
Journal of Computer Security
Security in Computing
The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Security attribute evaluation method: a cost-benefit approach
Proceedings of the 24th International Conference on Software Engineering
Managing Information Security Risks: The Octave Approach
Managing Information Security Risks: The Octave Approach
Organizational Modeling for Efficient Specification of Information Security Requirements
ADBIS '99 Proceedings of the Third East European Conference on Advances in Databases and Information Systems
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
How much is enough: a risk management approach to computer security
How much is enough: a risk management approach to computer security
The IS risk analysis based on a business model
Information and Management
A model for evaluating IT security investments
Communications of the ACM - Has the Internet become indispensable?
Algebraic specification of network security risk management
Proceedings of the 2003 ACM workshop on Formal methods in security engineering
Evaluating information security investments using the analytic hierarchy process
Communications of the ACM - Medical image modeling
Toward Econometric Models of the Security Risk from Remote Attack
IEEE Security and Privacy
Monte Carlo Statistical Methods (Springer Texts in Statistics)
Monte Carlo Statistical Methods (Springer Texts in Statistics)
Simulation and the Monte Carlo Method (Wiley Series in Probability and Statistics)
Simulation and the Monte Carlo Method (Wiley Series in Probability and Statistics)
Hi-index | 0.00 |
In this paper, the authors present a quantitative model for estimating security risk exposure for a firm. The model includes a formulation for the optimization of controls as well as determining sensitivity of the exposure of assets to different threats. The model uses a series of matrices to organize the data as groups of assets, vulnerabilities, threats, and controls. The matrices are then linked such that data is aggregated in each matrix and cascaded across the other matrices. The computations are reversible and transparent allowing analysts to answer what-if questions on the data. The exposure formulation is based on the Annualized Loss Expectancy ALE model, and uncertainties in the data are captured via Monte Carlo simulation. A mock case study based on a government agency is used to illustrate this methodology.