The state of risk assessment practices in information security: An exploratory investigation

Journal of Organizational Computing and Electronic Commerce

Volumn 18, Issue 4, 2008, Pages 255-277

  Rees, Jackie ^a,c   Allen, Jonathan ^b  

^a PURDUE UNIVERSITY   (United States)

^b UNIVERSITY OF SAN FRANCISCO   (United States)

^c NONE   (United States)

Author keywords

Information systems risk management; Information systems security; Information technology management practices; Risk assessment

Indexed keywords

EID: 55049124085     PISSN: 10919392     EISSN: None     Source Type: Journal    
DOI: 10.1080/10919390802421242     Document Type: Article

References (22)

1. D. W. Straub and R. J. Welke, "Coping with systems risk: Security planning models for management decision making," MIS Quarterly, vol. 22, no. 4, pp. 441-469, 1998.
2. H. S. Barki, S. Rivard, and J. Talbot, "Toward an assessment of software development risk," Journal of Management Information Systems, vol. 10, no. 2, pp. 203-225, 1993.
3. H. S. Barki, S. Rivard, and J. Talbot, "An integrative contingency model of software project risk management," Journal of Management Information Systems, vol. 17, no. 4, pp. 37-69, 2001.
4. J. Rees, S. Bandyopadhyay, and E. H. Spafford, "PFIRES: A policy framework for information security," Communications of the ACM, vol. 46, no. 7, pp. 101-106, 2003.
5. CERIAS and Accenture, Policy Framework for Interpreting Risk in eCommerce Security. CERIAS Technical Report 2000-01, 1999. Available: https://www.cerias.purdue.edu/infosec/bibtex_archive//archive/2000-01.pdf.
6. R. K. Rainer, Jr., C. A. Snyder, and H. H. Carr, "Risk analysis for information technology," Journal of Management Information Systems, vol. 8, no. 1, pp. 129-147, 1991.
7. K. P. Badenhorst and J. H. P. Eloff, "TOPM: A formal approach to the optimization of information technology risk management," Computers & Security, vol. 13, no. 5, pp. 411-435, 1994.
8. R. Mogull and R. Wagner, "Client issues for critical infrastructure protection," Gartner Group Research Note K-20-7776, 2003.
9. GAO, Information Security Risk Assessment - Practices of Leading Organizations, Report No. AIMD-99-139, 1999.
10. Z. Ciechanowicz, "Risk analysis: Requirements, conflicts and problems," Computers & Security, vol. 16, no. 3, pp. 223-232, 1997.
11. J. Linnerooth-Bayer and B. Wahlstrom, "Applications of probabilistic risk assessments: The selection of appropriate tools," Risk Analysis, vol. 11, no. 2, pp. 239-248 1991.
12. J. Sharit, "A modeling framework for exposing risks in complex systems," Risk Analysis, vol. 20, no. 4, pp. 469-482, 2000.
13. S. Kaplan and B. J. Garrick, "On the quantitative definition of risk," Risk Analysis, vol. 1, no. 1, pp. 11-27, 1981.
14. K. J. Soo Hoo, "How much is enough? A risk-management approach to computer security," Working Paper, Consortium for Research on Information Security and Policy, Stanford University, 2000.
15. G. V Post and J. D. Diltz, "A stochastic dominance approach to risk analysis of computer systems," MIS Quarterly, pp. 363-375, Dec. 1986.
16. W. H. Delone and E. R. Mclean, "Information systems success: The quest for the dependent variable," Information Systems Research, vol. 3, no. 1, pp. 60-95, 1992.
17. P. B. Seddon, "A respecification and extension of the DeLone and McLean Model of IS success," Information Systems Research, vol. 8, no. 3, pp. 240-253, 1997.
18. A. Rai, S. S. Lang, and R. B. Welker, "Assessing the validity of IS success models: An empirical test and theoretical analysis," Information Systems Research, vol. 13, no. 1, pp. 50-69, 2002.
19. D. W. Straub, Jr., "Effective IS security: An empirical study," Information Systems Research, vol. 1, no. 3, pp. 255-276, 1990.
20. K. Campbell, L. A. Gordon, M. P. Loeb, and L. Zhou, "The economic cost of publicly announced information security breaches: Empirical evidence from the stock market," Journal of Computer Security, vol. 11, pp. 431-447, 2003.
21. H. Cavusoglu, B. Mishra, and S. Raghunathan, "The effect of Internet security breach announcements on market value of breached firms and Internet security developers," International Journal of Electronic Commerce (Forthcoming), 2004.
22. R. Richardson, "2003 CSI/FBI Computer Crime and Security Survey," The Computer Security Institute, 2004. Available, http://www.gocsi.com/.