Although a variety of information security risk management (ISRM) approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can the risk level of a business process be determined by taking the risk levels of the involved resources into account? This paper presents our research results regarding resource-based risk analysis method...

The objective of this paper is to clarify the interactive nature of the leader-follower relationship when both players are endogenously risk-averse. The analysis is placed in the context of a dynamic closed-loop Stackelberg game with private information. The case of a risk-neutral leader, very often discussed in the literature, is only a borderline possibility in the present study. Each player ...

The usage of information systems (IS) within organizations has become crucial. Information is one of the most vulnerable resources within an enterprise. Information can be exposed, tampered or made non-accessible, where the integrity, confidentiality or availability becomes affected. The ability to manage risks is therefore a central issue in enterprises today. In order to manage risks, the ris...

Financial dealer firms have invested heavily in recent years to develop information systems for risk measurement. I take it as given that technological progress is likely to continue at a rapid pace, making it less expensive for financial firms to assemble risk information. I look beyond questions of risk measurement methodology to investigate the implications of risk management information sys...

Original scientific paper Risk protection has long been one of the main tasks of companies in a wide scope of business. From extensive range of risks the cyber-risks highlight as one of the most important. Cyber-risks are generated from hackers, malicious software, disgruntled employees, competitors, and many other sources both internal and external. Internal and external attacks on corporate a...

This paper begins a process of organizing knowledge of health information security threats into a comprehensive catalog. We begin by describing our risk management perspective of health information security, and then use this perspective to motivate the development of a health information threat tree. We describe examples of three threats, breaking each down into its key risk-related data attri...

This research explores key aspects involved in the process of managing risk associated with acquisition projects within the US Department of Defense (DOD). First, various US Government Accountability Office reports are analyzed to identify the strengths and weaknesses of the DOD’s overall program management practices, as well as individual projects. Then, the evolution and progress of United St...

In this paper, we provide an alternative explanation for why auctioneers often keep the reserve price hidden or secret. We consider a standard independent private values environment in which the buyers are risk-averse and the seller has private information about her valuation of the object to be auctioned. The seller uses a Þrst-price sealed-bid auction mechanism combined with either an announc...

Recently, a novel approach towards semi-quantitative IT security risk assessment has been proposed in the draft IEC 62443-3-2. This approach is analyzed from several different angles, e.g. embedding into the overall standard series, semantic and methodological aspects. As a result, several systematic flaws in the approach are exposed. As a way forward, an alternative approach is proposed which ...

As part of their compliance process with the Basel 2 operational risk management requirements, banks must define how they deal with information security risk management. In this paper we describe work in progress on a new quantitative model to assess and aggregate information security risks that is currently under development for deployment. We show how to find a risk mitigation strategy that i...