Information security is information risk management

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Information security is information risk management

Full text

Pdf (756 KB)

Source

New Security Paradigms Workshop archive
Proceedings of the 2001 workshop on New security paradigms table of contents

Cloudcroft, New Mexico

SESSION: Session 5: less is more table of contents

Pages: 97 - 104

Year of Publication: 2001

ISBN:1-58113-457-6

Authors

Bob Blakley	Tivoli Systems, Inc.
Ellen McDermott	J.P. MorganChase
Dan Geer	@Stake

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 49, Downloads (12 Months): 551, Citation Count: 6

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/508171.508187 What is a DOI?

ABSTRACT

Information security is important in proportion to an organization's dependence on information technology. When an organization's information is exposed to risk, the use of information security technology is obviously appropriate. Current information security technology, however, deals with only a small fraction of the problem of information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk very effectively.This paper argues that we must reconsider our approach to information security from the ground up if we are to deal effectively with the problem of information risk, and proposes a new model inspired by the history of medicine.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	{AS} Standards Australia, "AS/NZS 4360:1999 Risk Management", 1999.
	2	{CSI} Computer Security Institute and US FBI, "Computer Security Issues & Trends", CSI, 2000.
	3	William A. Arbaugh , William L. Fithen , John McHugh, Windows of Vulnerability: A Case Study Analysis, Computer, v.33 n.12, p.52-59, December 2000 [doi>10.1109/2.889093]
	4	{Basel} Bank for International Settlements, "The New Basel Capital Accord", Basel: Bank for International Settlements, 2001.
	5	{Bcom} Comments on New Basel Capital Accord, http://www.bis.org/bcbs/cacomments.htm
	6	{CERT} CERT, CERT Annual Reports, http://www.cert.org/annual_rpts/index.html
	7	{ECov} TechRisk.Law, "e-Coverage", Cincinnati, OH: National Underwriter Company, 2000.
	8	{ERisk} Lang, S., Davis, J., Jaye, D., Erwin, D., Mullarney, J., Clarke, L., and Loesch, M., "e-risk: Liabilities in a Wired World", Cincinnati, OH: National Underwriter Company, 2000.
	9	{FIPS31} US Department of Commerce/National Bureau of Standards, "Guidelines For Automatic Data Processing Physical Security and Risk Management", 1974.
	10	{FIPS191} US Department of Commerce/National Institute of Standards and Technology, "Guideline for the Analysis of Local Area Network Security", 1994.
	11	{GAO} US General Accounting Office, "Information Security Risk Assessment: Practices of Leading Organizations", 1999.
	12	{Har} Harrington, S., and Niehaus, G., "Risk Management and Insurance", Boston, Irwin/McGraw Hill, 1999.
	13	{HPDG} Shannon, M., Wilson, B., and Stang, C. (eds.), "Health Professional's Drug Guide", Upper Saddle River, NJ, Prentice Hall, 2002.
	14	{Koll} Koller, G., "Risk Assessment and Decision Making in Business and Industry", Boca Raton, Fla.: CRC Press, 1999.
	15	{KBPS} Kolluru, R., Bartell, S., Pitblado, R., and Stricoff, S., "Risk Assessment and Management Handbook for Environmental, Health, and Safety Professionals", Boston: McGraw-Hill, 1996.
	16	Nancy G. Leveson, Safeware: system safety and computers, ACM Press, New York, NY, 1995
	17	{Merl} Merck & Co., "Merck's 1899 Manual", New York, Merck & Co., 1899.
	18	{Merl7} Beers, M., and Berkow, R. (eds.), "The Merck Manual of Diagnosis and Therapy", 17th ed., Whitehouse Station, NJ, Merck Research Laboratories, 1999.
	19	{NISTRMG} US National Institute of Standards and Technology, "Special Publication 800-30: Risk Management Guide" (Draft), 2001.
	20	{OFA} Thomas, R. (ed.), "Old Farmer's Almanac", William Ware & Co., Boston, 1900.
	21	Thomas R. Peltier, Information Security Risk Analysis, CRC Press, Inc., Boca Raton, FL, 2000
	22	{Por} Porter, R., "The Greatest Benefit to Mankind", New York, W.W. Norton & Company, 1997.
	23	{Shim} Shimpi, P., "Integrating Corporate Risk Management, New York, Texere, 1999.
	24	Neil R. Storey, Safety Critical Computer Systems, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1996

CITED BY 6

	Steven J. Greenwald , Kenneth G. Olthoff , Victor Raskin , Willibald Ruch, The user non-acceptance paradigm: INFOSEC's dirty little secret, Proceedings of the 2004 workshop on New security paradigms, September 20-23, 2004, Nova Scotia, Canada
	Zaid Dwaikat , Francesco Parisi-Presicce, Risky trust: risk-based analysis of software systems, ACM SIGSOFT Software Engineering Notes, v.30 n.4, July 2005
	Charles Pak, The near real time statistical asset priority driven (nrtsapd) risk assessment methodology, Proceedings of the 9th ACM SIGITE conference on Information technology education, October 16-18, 2008, Cincinnati, OH, USA
	Steven J. Greenwald , Marv Schaefer, Assurance in life/nation critical endeavors a panel, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia
	Lars Grunske , David Joyce, Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles, Journal of Systems and Software, v.81 n.8, p.1327-1345, August, 2008
	Ivan Flechais , M. Angela Sasse , Stephen M. V. Hailes, Bringing security home: a process for developing secure and usable systems, Proceedings of the 2003 workshop on New security paradigms, August 18-21, 2003, Ascona, Switzerland

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection
Subjects: Information flow controls

Additional Classification:
K. Computing Milieux
K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
K.6.5 Security and Protection (D.4.6, K.4.2)
Subjects: Unauthorized access (e.g., hacking, phreaking)
K.8 PERSONAL COMPUTING
K.8.3 Management/Maintenance

General Terms:
Management, Security

Collaborative Colleagues:

Bob Blakley: colleagues

Ellen McDermott: colleagues

Dan Geer: colleagues

Peer to Peer - Readers of this Article have also read:

Improving the granularity of access control in Windows NT Proceedings of the sixth ACM symposium on Access control models and technologies
Michael M. Swift , Peter Brundrett , Cliff Van Dyke , Praerit Garg , Anne Hopkins , Shannon Chan , Mario Goertzel , Gregory Jensenworth
Web application security assessment by fault injection and behavior monitoring Proceedings of the 12th international conference on World Wide Web
Yao-Wen Huang , Shih-Kun Huang , Tsung-Po Lin , Chung-Hung Tsai
Inferring constraints from multiple snapshots ACM Transactions on Graphics (TOG) 12, 4
David Kurlander , Steven Feiner
Efficient, DoS-resistant, secure key exchange for internet protocols Proceedings of the 9th ACM conference on Computer and communications security
William Aiello , Steven M. Bellovin , Matt Blaze , John Ioannidis , Omer Reingold , Ran Canetti , Angelos D. Keromytis
Data structures for quadtree approximation and compression Communications of the ACM 28, 9
Hanan Samet

Adobe Acrobat

QuickTime

Windows Media Player

Real Player