The economic framework explored in [ 3, 6, 7] is useful for evaluating information security activities. A key concept in this framework is the notion of risk management. Even though organizations try to avoid any breach of information security, they cannot make all their information 100% secure all the time. Thus, managing the risk associated with potential breaches is an integral part of resource-alloca-tion decisions associated with information-security activities. 1 To make such decisions, the chief information security officer (CISO) needs to first be clear as to what is meant by risk.
Risk involves multiple dimensions and meanings within the context of information security. Here, we discuss three measures that capture var-
1
See [ 5] for a framework for cyber risk management that incorporates insurance.
References:
Archives