期刊名称:Communications of the Association for Information Systems
印刷版ISSN:1529-3181
出版年度:2011
卷号:28
期号:1
页码:22
出版社:Association for Information Systems
摘要:As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.
关键词:risk management; cost benefit analysis; decision support system; expert system
