Konferenzbeitrag
Towards solving the data problem in measurement of organizations’ security
Lade...
Volltext URI
Dokumententyp
Text/Conference Paper
Dateien
Zusatzinformation
Datum
2008
Autor:innen
Zeitschriftentitel
ISSN der Zeitschrift
Bandtitel
Verlag
Gesellschaft für Informatik e. V.
Zusammenfassung
Awareness of security has risen during the last years. As a result, the question of adequate protection against security risks increased, too. Management wants to decide whether and how to invest in this protection. As a result, quantitative statements about information-security risks are needed. Existing approaches in this domain either rely on guessed data or do not answer the question in a quantitative way. We think that this is due to the fact that no approach separates information that can be provided by a central organization (e.g. known attacks, available controls, and a control’s probability of protection) from information which must be provided individually (e.g. the controls installed). We have developed an approach that employs this separation and allows quantitative assessment of security with the help of a model. This model is presented here with a special look at the separation.