IDEAS home Printed from https://ideas.repec.org/a/eee/ininma/v28y2008i6p483-491.html
   My bibliography  Save this article

Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements

Author

Listed:
  • Patel, Sandip C.
  • Graham, James H.
  • Ralston, Patricia A.S.

Abstract

This paper proposes a new approach for assessing the organization's vulnerability to information-security breaches. Although much research has been done on qualitative approaches, the literature on numerical approaches to quantify information-security risk is scarce. This paper suggests a method to quantify risk in terms of a numeric value or “degree of cybersecurity”. To help quantitatively measure the level of cybersecurity for a computer-based information system, we present two indices, the threat-impact index and the cyber-vulnerability index, based on vulnerability trees. By calculating and comparing the indices for various possible security enhancements, managers can select the best security enhancement choice, prioritize the choices by their relative effectiveness, and statistically justify spending resources on the selected choice. By qualifying information security quantitatively, the method can also help managers establish a specific target of security level that they can track.

Suggested Citation

  • Patel, Sandip C. & Graham, James H. & Ralston, Patricia A.S., 2008. "Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements," International Journal of Information Management, Elsevier, vol. 28(6), pages 483-491.
    • Handle: RePEc:eee:ininma:v:28:y:2008:i:6:p:483-491
    DOI: 10.1016/j.ijinfomgt.2008.01.009
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0268401208000054
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ijinfomgt.2008.01.009?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Fatima Rafiq & Mazhar Javed Awan & Awais Yasin & Haitham Nobanee & Azlan Mohd Zain & Saeed Ali Bahaj, 2022. "Privacy Prevention of Big Data Applications: A Systematic Literature Review," SAGE Open, , vol. 12(2), pages 21582440221, May.
    2. Silva, Maisa Mendonça & de Gusmão, Ana Paula Henriques & Poleto, Thiago & Silva, Lúcio Camara e & Costa, Ana Paula Cabral Seixas, 2014. "A multidimensional approach to information security risk management using FMEA and fuzzy theory," International Journal of Information Management, Elsevier, vol. 34(6), pages 733-740.
    3. Henri Teittinen & Markku Kaperi, 2022. "Exploring dishonest vulnerability in digital finance platforms ? an actor?network theory approach," International Journal of Business and Management, International Institute of Social and Economic Sciences, vol. 10(2), pages 67-79, November.
    4. Henriques de Gusmão, Ana Paula & Mendonça Silva, Maisa & Poleto, Thiago & Camara e Silva, Lúcio & Cabral Seixas Costa, Ana Paula, 2018. "Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory," International Journal of Information Management, Elsevier, vol. 43(C), pages 248-260.
    5. Bang, Youngsok & Lee, Dong-Joo & Bae, Yoon-Soo & Ahn, Jae-Hyeon, 2012. "Improving information security management: An analysis of ID–password usage and a new login vulnerability measure," International Journal of Information Management, Elsevier, vol. 32(5), pages 409-418.
    6. Doherty, Neil Francis & Anastasakis, Leonidas & Fulford, Heather, 2011. "Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy," International Journal of Information Management, Elsevier, vol. 31(3), pages 201-209.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ininma:v:28:y:2008:i:6:p:483-491. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-information-management .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.