Assessment of Enterprise Information Security: The Importance of Information Search Cost
2006 (English)In: Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1530-1605, Vol. 9, 219a- p.Article in journal (Refereed) Published
There are today several methods and standards available for assessment of the level of information security in an enterprise. A problem with these assessment methods is that they neither provide an indication of the amount of effort required to obtain the assessment nor an approximation of this measure's credibility. This paper describes a part of a new method for assessing the level of enterprise information security expresses the credibility of the results in terms of confidence levels and make use of an estimation of the cost of searching for security evidence. Such methods for predicting information search cost of assessments are detailed in the paper. Search cost predictions are used for providing guidance on how to minimize the effort spent on performing enterprise information security assessments. The conclusions are based on a security assessment performed at a large European energy company and a statistical survey among Swedish security experts.
Place, publisher, year, edition, pages
2006. Vol. 9, 219a- p.
Confidence levels, Information security assessments, Security evidences, Approximation theory, Expert systems, Industrial management, Information dissemination, Systems analysis
Computer and Information Science
IdentifiersURN: urn:nbn:se:kth:diva-8898DOI: 10.1109/HICSS.2006.67ScopusID: 2-s2.0-33749635085OAI: oai:DiVA.org:kth-8898DiVA: diva2:14378
QC 201010282005-12-082005-12-082010-10-28Bibliographically approved