Information security is information risk management

Authors:
Bob Blakley;Ellen McDermott;Dan Geer
Affiliations:
Tivoli Systems, Inc.;J.P. MorganChase;@Stake
Venue:
Proceedings of the 2001 workshop on New security paradigms
Year:
2001

Citing 4
Cited 11

Safeware: system safety and computers

Safeware: system safety and computers
Information Security Risk Analysis

Information Security Risk Analysis
Safety Critical Computer Systems

Safety Critical Computer Systems
Windows of Vulnerability: A Case Study Analysis

Computer

Assurance in life/nation critical endeavors a panel

Proceedings of the 2002 workshop on New security paradigms
Bringing security home: a process for developing secure and usable systems

Proceedings of the 2003 workshop on New security paradigms
The user non-acceptance paradigm: INFOSEC's dirty little secret

NSPW '04 Proceedings of the 2004 workshop on New security paradigms
Risky trust: risk-based analysis of software systems

SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles

Journal of Systems and Software
The near real time statistical asset priority driven (nrtsapd) risk assessment methodology

SIGITE '08 Proceedings of the 9th ACM SIGITE conference on Information technology education
Quantified security is a weak hypothesis: a critical survey of results and assumptions

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Optimizing a policy authoring framework for security and privacy policies

Proceedings of the Sixth Symposium on Usable Privacy and Security
A stealth approach to usable security: helping IT security managers to identify workable security solutions

Proceedings of the 2010 workshop on New security paradigms
A hybrid information security risk assessment procedure considering interdependences between controls

Expert Systems with Applications: An International Journal
Cyber-risk decision models: To insure IT or not?

Decision Support Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Information security is important in proportion to an organization's dependence on information technology. When an organization's information is exposed to risk, the use of information security technology is obviously appropriate. Current information security technology, however, deals with only a small fraction of the problem of information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk very effectively.This paper argues that we must reconsider our approach to information security from the ground up if we are to deal effectively with the problem of information risk, and proposes a new model inspired by the history of medicine.