Measuring the risk-based value of IT security solutions

Journal Article (Review;Journal)

A risk management approach that integrates risk profile with actual damages and implementation costs to determine the costs and benefits of information security solutions, is discussed. Two crucial concepts of the approach, incident types and bypass rates, used to judge the efficiency and return on investment for an organization's security solutions are described. The data required for risk analysis include observed damage, which is the damage that the company sustains in a given time period for each incident type and cost for a given security solution. The method to calculate risk-based return on investment (RROI) is also described.

Full Text

Duke Authors

Cited Authors

  • Arora, A; Hall, D; Pinto, CA; Ramsey, D; Telang, R

Published Date

  • November 1, 2004

Published In

Volume / Issue

  • 6 / 6

Start / End Page

  • 35 - 42

International Standard Serial Number (ISSN)

  • 1520-9202

Digital Object Identifier (DOI)

  • 10.1109/MITP.2004.89

Citation Source

  • Scopus