Network externalities, layered protection and IT security risk management

Decision Support Systems

Volumn 44, Issue 1, 2007, Pages 1-16

  Yue, Wei T ^a   Çakanyildirim, Metin ^a   Ryu, Young U ^a   Liu, Dengpan ^b  

^a UNIVERSITY OF TEXAS AT DALLAS   (United States)

^b UNIVERSITY OF ALABAMA IN HUNTSVILLE   (United States)

Author keywords

IT risk analysis; IT risk management; IT risk mitigation; Security investments; Security resource planning

Indexed keywords

INFORMATION THEORY; RESOURCE ALLOCATION; RISK ANALYSIS; SECURITY OF DATA;

RISK MITIGATION; SECURITY INVESTMENTS; SECURITY RESOURCE PLANNING;

RISK MANAGEMENT;

EID: 34548477450     PISSN: 01679236     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.dss.2006.08.009     Document Type: Article

References (36)

1. Alavi M., and Weiss I.R. Managing the risks associated with end-user computing. Journal of Management Information Systems 2 3 (1985-1986) 5-20
2. Alberts C., and Dorofee A. Managing information security risks: the OCTAVE approach (2002), Pearson Education, Inc., Upper Saddle River, New Jersey
3. Anderson J., and Narasimhan R. Assessing project implementation risk: a methodological approach. Management Science 25 6 (1979) 512-521
4. Badenhorst K.P., and Eloff J.H.P. The effect of intrusion detection management methods on the return on investment. Computers & Security 13 5 (1994) 411-435
5. Baskerville R.L., and Stage J. Controlling prototype development through risk analysis. MIS Quarterly 20 4 (1996) 481-501
6. Briney A. 2001 industry survey. Information Security Magazine (2001) 34-46
7. Cavusoglu H., and Raghunathan S. Configuration of detection software: a comparison of decision and game theory approaches. Decision Analysis 1 3 (2004) 131-148
8. Cavusoglu H., Mishra B., and Raghunathan S. Optimal design of information technology security architecture. Proceedings of the Twenty-Third International Conference on Information Systems, Barcelona, Spain (2002) 749-756
9. de Ru W.G., and Eloff J.H.P. Risk analysis modelling with the use of fuzzy logic. Computers & Security 15 3 (1996) 239-248
10. Ernst, and Young. Global information security survey 2003 (2003), Ernst & Young LLP, White Paper
11. Gaffney Jr. J.E., and Ulvila J.W. A decision analysis method for evaluating computer intrusion detection systems. Decision Analysis 1 1 (2004) 39-54
12. Gordon L.A., and Loeb M.P. The economics of information security investment. ACM Transactions on Information and System Security 5 4 (2002) 438-457
13. Guarro S.B. Principles and procedures of the lram approach to information systems risk analysis and management. Computer & Security 6 6 (1987) 493-504
14. Gupta M., Rees J., Chaturvedi A., and Chi J. Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decision Support Systems 41 3 (2006) 592-603
15. Hamill J.T., Deckro R.F., and Kloeber Jr. J.M. Evaluating information assurance strategies. Decision Sopport Systems, 39 3 (2005) 463-484
16. Higgins M. Symantec Internet security threat report: attack trends for Q3 and Q4 2002 (2003), Symantec Corporation February
17. Jha S., Sheyner O., and Wing J. Two formal analyses of attack graphs. Computer Security Foundations Workshops, Cape Breton, Nova Scotia, Canada (2002) 49-63
18. Loch K.D., Carr H.H., and Warkentin M.E. Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly 16 2 (1992) 173-186
19. Lyytinen K., Mathiassen L., and Ropponen J. Attention shaping and software risk - a categorical analysis of four classical risk management approaches. Information Systems Research 9 3 (1998) 233-255
20. McFarlan F.W. Portfolio approach to information systems. Harvard Business Review 59 5 (1981) 142-150
21. Moitra S.D., and Konda S.L. The survivability of network systems: an empirical analysis (2000), Carnegie Mellon University SEI/CERT Report CMU/SEI-2000-TR-021
22. Ngai E.W.T., and Wat F.K.T. Dominance approach to risk analysis of computer systems. Decision Support Systems 37 4 (2004) 485-500
23. NIST. An introduction to computer security: the NIST handbook. National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, Special Publication 800-12 (1995)
24. Ortalo R., Deswarte Y., and Kaaniche M. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25 5 (1999) 633-650
25. Panko R.R. Corporate computer and network security (2004), Pearson Education, Inc., Upper Saddle River, New Jersey
26. Post G.V., and Diltz J.D. Dominance approach to risk analysis of computer systems. MIS Quarterly 10 4 (1986) 363-375
27. PriceWaterhouseCoopers. Information security breaches survey 2004 (2004), Department of Trade and Industry (DTI), United Kingdom Technical Report
28. Richardson R. 2003 CSI/FBI computer crime and security survey. Computer Security Journal (2003) Tech. Rep.
29. Stein T. Security gets top-level attention. Optimize, 23 September (2003)
30. Stoneburner G., Goguen A., and Feringa A. Risk management guide for information technology systems. National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, Special Publication 800-30 (2002)
31. Stoneburner G., Hayden C., and Feringa A. Engineering principles for information technology security (a baseline for achieving security), revision a. National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, Special Publication 800-27 (2004)
32. Straub D.W. Effective is security: an empirical study. Information Systems Research 1 3 (1990) 255-276
33. Straub D.W., and Welke R.J. Coping with systems risk: security planning models for management decision-making. MIS Quarterly 22 4 (1998) 441-469
34. Tanna G.B., Gupta M., Rao H.R., and Upadhyaya S. Information assurance metric development framework for electronic bill presentment and payment systems using transaction and workflow analysis. Decision Support Systems 41 1 (2005) 242-261
35. Thurman M. Stepping up to Sarbanes-Oxley, Computer World (2004). http://www.computerworld.com/securitytopics/security/story/0,10 801,89306,00.html
36. Whitman M.E., and Mattord H.J. Management of information security. Course Technology (2004), Thompson, Boston, Massachusetts