A Quantitative Model for Information-Security Risk Management

Information-security risk management is becoming an increasingly important process in modern businesses. The proposed model for managing information-security risks is based on a quantitative analysis of the security risks that enable organizations to introduce optimum security solutions. The model is designed as a standard procedure to lead the organization from the initial selection of input data to the final recommendations for the selection of the appropriate solutions, which reduces a certain security risk. In analyzing the security risks, the model quantitatively evaluates the information assets, their vulnerability, and the threats to information assets. The values of the risk parameters are the basis for selecting the appropriate risk treatment and the evaluation of the various security measures that reduce security risks. Economic indicators are determined for each security measure in order to enable a comparison of the various security measures. This includes the possibility of investing in technology-security solutions, the introduction of organizational procedures, and the training and transfer of risk to an outsourcing provider or to an insurance agency. The model was tested using empirical examples with data from a real business environment.