Enterprise information security strategies

Computers and Security

Volumn 27, Issue 1-2, 2008, Pages 22-29

  Anderson, Evan E ^a,b   Choobineh, Joobin ^a,b  

^a TEXAS A AND M UNIVERSITY SYSTEM   (United States)

^b TEXAS A AND M UNIVERSITY   (United States)

Author keywords

Best practices; Enterprise security requirements; Information security; Models of risk management; Security costs and benefits

Indexed keywords

AEROSPACE APPLICATIONS; BUDGET CONTROL; COMPENSATION (PERSONNEL); COMPUTER NETWORKS; INFORMATION SERVICES; PROBLEM SOLVING; TECHNOLOGY;

(OTDR) TECHNOLOGY; DECISION MAKER (DM); ELSEVIER (CO); ENTERPRISE INFORMATION; GLOBAL SECURITY; LEVEL MANAGEMENT; SECURITY BREACHES; SECURITY BUDGET; SECURITY EXPENDITURES;

DECISION MAKING;

EID: 44849144759     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2008.03.002     Document Type: Article

References (29)

1. Anderson R. Why information security is hard - an economic perspective. In: IEEE Proceedings of the 17th Annual Computer Security Applications Conference; 2001. p. 358-65.
2. Arzac E., and Bawa V. Portfolio choice and equilibrium in capital markets with safety-first investors. Journal of Financial Economics 14 3 (1977) 277-288
3. Blakley B, McDermott E, Greer D. Information security is information risk management. In: ACM proceedings of the workshop on new security paradigms; 2001. p. 97-104.
4. Cavusoglu H., Mishra B., and Raghunathan S. A model for evaluating it security investments. Communications of the ACM 47 7 (2004) 87-92
5. Cavusoglu H., Mishra B., and Raghunathan S. The value of intrusion detection systems in information technology security architecture. Information Systems Research 16 l (2005) 28-46
6. Eloff M.M., and von Solms S.H. Information security management: a hierarchical framework for various approaches. Computers and Security 19 3 (2000) 243-256
7. Farquhar B. one approach to risk assessment. Computers and Security 10 l (1991) 21-23
8. Finne T. Information systems risk management: key concepts and business processes. Computers and Security 19 3 (2000) 234-242
9. Gehani A. Performance-sensitive real-time risk management is NP-Hard. In: Proceedings of the workshop on foundations of computer security affiliated with 19th IEEE symposium on logic in computer science (LICS); 2004. p. 1-12.
10. Gerber M., and von Solms R. From risk analysis to security requirements. Computers and Security 20 7 (2001) 577-584
11. Gerber M., and von Solms R. Management of risk in the information age. Computers and Security 24 l (2005) 16-30
12. Gollier C., and Pratt J.W. Risk vulnerability and the tempering effect of background risk. Econometrica 64 5 (1996) 1109-1123
13. Gordon L.A., and Loeb M.P. The economics of information security investment. ACM Transactions on Information and System Security 5 4 (2002) 438-457
14. Gordon L.A., and Loeb M.P. Budgeting process for information security expenditures. Communications of the ACM 49 1 (2006) 121-125
15. Hamill J.T., Dekro R.F., and Kloeber J.M. Evaluating information assurance strategies. Decision Support Systems 39 3 (2005) 463-484
16. Hoffman L.J. Risk analysis and computer security: towards a theory at last. Computers and Security 8 l (1989) 23-24
17. Karyda M., Kiountouzis E., and Kokolakis S. Information systems security policies: a contextual perspective. Computers and Security 24 3 (2005) 246-260
18. Miller K.D., and Bromiley P. Strategic risk and corporate performance: an analysis of alternative risk. Academy of Management Journal 33 4 (1990) 756-779
19. National Bureau of Standards. FIPS PUB 31: guidelines for automatic data processing physical security and risk management (1974), U.S. General Printing Office, Washington, DC
20. NIST (National Institute of Standards and Technology). Series 800 guidelines on security national institute of standards and technology. Available from: (2006).
21. Peltier T.R. Risk analysis and risk management. Information Systems Security 13 4 (2004) 44-56
22. Shih S.C., and Wen H.J. Building E-enterprise security: a business view. Information Systems Security 12 4 (2003) 41-49
23. Sklovos N., and Souros P. Economic models and approaches in information security for computer networks. International Journal of Network Security 2 1 (2006) 243-256
24. Soo Hoo K.J. How much is enough? A risk-management approach to computer security (2000), Consortium for Research on Information Security and Policy (CRISP) Stanford University
25. Tsiakis T., and Stephanides G. The economic approach of information security. Computers and Security 24 2 (2005) 105-108
26. Tversky A., and Kahneman D. Rational choice and the framing of decisions. The Journal of Business 59 4 part 2 (1986) S251-S278
27. Walwyn D.R., Taylor D., and Brickhill G. How to manage risk better. Research Technology Management 45 5 (2002) 37-42
28. Ware W. Security controls for computer systems (U). Report of defense science board task force on computer security (Feb 1970), The RAND Corporation, Santa Monica, CA
29. Woodlock P., and Ross R. managing risks at the enterprise level. National Public Accountant 46 9 (2001) 19-21