Contents
List of Tables..................................................................................................................x
List of Figures....................................................................................xi
Summary..........................................................................................xii
Chapter 1 Overview of Research............................................................................1
Chapter 2 Information Security: Practice and Threats in
Organizations......................................................................................6
2.1 The State of the Art of Security Practice in Businesses.................................7
2.2 The Nature of Security Threats...........................................................10
2.3 Deploying Resources in Information Security..........................................13
2.4 Security Standards and Overview of Common Criteria..............................15
Chapter 3 Costs Resulting from Information Security
Incidents...........................................................................................20
3.1 A Critical Overview........................................................................20
3.2 Insurance and Risk Mitigation............................................................22
3.2.1 Liability Issues.....................................................................23
3.2.2 Information Systems Disasters .................................................25
3.2.3 Working with the Insurance Industry..........................................26
3.2.4 Limiting Cases.....................................................................29
3.3 Cost of an Incident.........................................................................30
3.4 Variability of Losses Resulting from Similar Exploitation...........................31
3.5 Quantifying the Cost of Security Incidents.............................................32
3.6 Analysis of Cost of Security Breach Announcements.................................37
Chapter 4 Probability of Security Incidents.......................................45
4.1 Subjective Probability Assessment......................................................45
4.2 Possible Pitfalls of Subjective Analysis.................................................45
4.3 Scope of Subjective Analysis.............................................................47
4.4 Probability Assessment....................................................................48
Chapter 5 Classification of Security Threats in Information
Systems.............................................................................................52
5.1 A Review of Existing Taxonomies.......................................................53
5.2 A Model for Threat Classification and Control Measures.............................54
Chapter 6 Developing a Risk Management System............................63
6.1 A Critical Overview........................................................................63
6.2 A Risk Management System..............................................................68
6.2.1 Resource and Application Value Analysis....................................69
6.2.2 Vulnerability and Risk Analysis................................................69
6.2.3 Computation of Losses due to Threats and Benefits
of Countermeasures...............................................................70
6.2.4 Selection of Countermeasures...................................................70
6.5 Implementation of Alternatives..........................................................73
Chapter 7 Case Studies....................................................................75
7.1 First Round of Interviews.................................................................75
7.2 Summary of Answers in First Round....................................................82
7.3 Round Two and Summary of Results...................................................84
Chapter 8 Contributions and Conclusions.........................................89
Chapter 9 Future Work .......................................................................93
Bibliography.....................................................................................96