Bob Blakley
ABSTRACT
Information security is important in proportion to an organization's dependence on information technology. When an organization's information is exposed to risk, the use of information security technology is obviously appropriate. Current information security technology, however, deals with only a small fraction of the problem of information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk very effectively.This paper argues that we must reconsider our approach to information security from the ground up if we are to deal effectively with the problem of information risk, and proposes a new model inspired by the history of medicine.
- {AS} Standards Australia, "AS/NZS 4360:1999 Risk Management", 1999.Google Scholar
- {CSI} Computer Security Institute and US FBI, "Computer Security Issues & Trends", CSI, 2000.Google Scholar
- {AFM} Arbaugh, W., Fithen, W., and McHugh, J., "Windows of Vulnerability, a Case Study Analysis", IEEE Computer, IEEE, December, 2000. Google ScholarDigital Library
- {Basel} Bank for International Settlements, "The New Basel Capital Accord", Basel: Bank for International Settlements, 2001.Google Scholar
- {Bcom} Comments on New Basel Capital Accord, http://www.bis.org/bcbs/cacomments.htmGoogle Scholar
- {CERT} CERT, CERT Annual Reports, http://www.cert.org/annual_rpts/index.htmlGoogle Scholar
- {ECov} TechRisk.Law, "e-Coverage", Cincinnati, OH: National Underwriter Company, 2000.Google Scholar
- {ERisk} Lang, S., Davis, J., Jaye, D., Erwin, D., Mullarney, J., Clarke, L., and Loesch, M., "e-risk: Liabilities in a Wired World", Cincinnati, OH: National Underwriter Company, 2000.Google Scholar
- {FIPS31} US Department of Commerce/National Bureau of Standards, "Guidelines For Automatic Data Processing Physical Security and Risk Management", 1974.Google Scholar
- {FIPS191} US Department of Commerce/National Institute of Standards and Technology, "Guideline for the Analysis of Local Area Network Security", 1994.Google Scholar
- {GAO} US General Accounting Office, "Information Security Risk Assessment: Practices of Leading Organizations", 1999.Google Scholar
- {Har} Harrington, S., and Niehaus, G., "Risk Management and Insurance", Boston, Irwin/McGraw Hill, 1999.Google Scholar
- {HPDG} Shannon, M., Wilson, B., and Stang, C. (eds.), "Health Professional's Drug Guide", Upper Saddle River, NJ, Prentice Hall, 2002.Google Scholar
- {Koll} Koller, G., "Risk Assessment and Decision Making in Business and Industry", Boca Raton, Fla.: CRC Press, 1999.Google Scholar
- {KBPS} Kolluru, R., Bartell, S., Pitblado, R., and Stricoff, S., "Risk Assessment and Management Handbook for Environmental, Health, and Safety Professionals", Boston: McGraw-Hill, 1996.Google Scholar
- {Leve} Leveson, N., "Safeware: System Safety and Computers", Reading, Mass.: Addison-Wesley, 1995. Google Scholar
- {Merl} Merck & Co., "Merck's 1899 Manual", New York, Merck & Co., 1899.Google Scholar
- {Merl7} Beers, M., and Berkow, R. (eds.), "The Merck Manual of Diagnosis and Therapy", 17th ed., Whitehouse Station, NJ, Merck Research Laboratories, 1999.Google Scholar
- {NISTRMG} US National Institute of Standards and Technology, "Special Publication 800-30: Risk Management Guide" (Draft), 2001.Google Scholar
- {OFA} Thomas, R. (ed.), "Old Farmer's Almanac", William Ware & Co., Boston, 1900.Google Scholar
- {Pelt} Peltier, T., "Information Security Risk Analysis", Boca Raton, Fla: Auerbach Publications, 2001. Google ScholarDigital Library
- {Por} Porter, R., "The Greatest Benefit to Mankind", New York, W.W. Norton & Company, 1997.Google Scholar
- {Shim} Shimpi, P., "Integrating Corporate Risk Management, New York, Texere, 1999.Google Scholar
- {Stor} Storey, N., "Safety-Critical Computer Systems", Reading, Mass.: Addison-Wesley, 1996. Google ScholarDigital Library
Index Terms
- Information security is information risk management
Recommendations
Integrating information quality dimensions into information security risk management (ISRM)
This research strives to serve as a fundamental stepping stone for triggering the attention of researchers and information security practitioners on the needs of integrating information quality dimension in the ISRM field.This research contributes to ...
Security through Information Risk Management
Although security professionals have long talked about risk, moving an organization from a "security" mindset to one that thoughtfully considers information risk is a challenge. Managing information risk means building risk analysis into every business ...
Information security management: An information security retrieval and awareness model for industry
The purpose of this paper is to present a conceptual view of an Information Security Retrieval and Awareness (ISRA) model that can be used by industry to enhance information security awareness among employees. A common body of knowledge for information ...
Comments