Abstract
Security risk management is becoming increasingly important in a variety of areas related to information technology (IT), such as telecommunications, cloud computing, banking information systems, etc. In this paper, we develop a systematic quantitative framework for security risk management in IT-intensive organizations. This framework provides a unified viewpoint for considering a wide array of security risk factors which can disrupt business continuity. Our approach integrates the three phases of security risk management, namely risk modeling, assessment, and control/mitigation, through a formulation based on directed graphs, cascades of failures, and mathematical optimization. We consider how security events can propagate through an organization and how resource allocation decisions can be made in order to mitigate the amount of damage they cause. The applicability and effectiveness of our framework is demonstrated through a numerical study which shows significant cost reductions when compared to heuristic methods.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
