- Full text PDF available (2)
Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring reductions in expected loss.
Nonparametric methods can be used to analyze failure times and estimate probability distributions for failures of systems due to successful attacks on confidentiality, integrity, and availability in information security. However, such methods do not take full advantage of supplemental information regarding the configurations of systems in an information… (More)
Targeted malicious emails (TME) for computer network exploitation have become more insidious and more widely documented in recent years. Beyond spam or phishing designed to trick users into revealing personal information, TME can exploit computer networks and gather sensitive information. They can consist of coordinated and persistent campaigns that can… (More)
How do IT security managers make decisions in the absence of empirical data, and how do they know these decisions are successful? Some security managers seem more successful at making decisions than others. Are they guessing, or are they using some tacit knowledge? To address these questions, a study employed open-ended interviews with highly regarded,… (More)