TOPM: a formal approach to the optimization of information technology risk management
Computers and Security
Controlling prototype development through risk analysis
MIS Quarterly
Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security
IEEE Transactions on Software Engineering
The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Managing Information Security Risks: The Octave Approach
Managing Information Security Risks: The Octave Approach
Information Systems Research
Two Formal Analys s of Attack Graphs
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Management of Information Security
Management of Information Security
Decision Support Systems - Special issue: Intelligence and security informatics
Evaluating information assurance strategies
Decision Support Systems
Corporate Computer and Network Security
Corporate Computer and Network Security
Building secure e-business systems: technology and culture in the UAE
Proceedings of the 2008 ACM symposium on Applied computing
Studying users' computer security behavior: A health belief perspective
Decision Support Systems
A web-based multi-perspective decision support system for information security planning
Decision Support Systems
Platform-based information goods: The economics of exclusivity
Decision Support Systems
Maximising resource allocation effectiveness for IT security investments
International Journal of Business Information Systems
Knowledge sharing and investment decisions in information security
Decision Support Systems
Information Sciences: an International Journal
Hi-index | 0.00 |
This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur.