Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System

Acquisti, A., Friedman, A. & Telang, R. (2006). Is there a cost to privacy breaches? An event study. In: Workshop on the Economicsof Information Security, UK: Cambridge, Retrieved October 12, 2012 from http://www.heinz.cmu.edu/~acquisti/papers/acquistifriedman-telang-privacy-breaches.pdf Search in Google Scholar

Anderson, R. & Schneier, B. (2005). Guest Editor‘s Introduction: Economics of Information Security. IEEE Security and Privacy, 3(1), 12-13, http://dx.doi.org/10.1109/MSP.2005.14 10.1109/MSP.2005.14Search in Google Scholar

Anderson, R. (2001). Why information security is hard-an economic perspective, Computer Security Applications. In: ACSAC 2001,Proceedings of the 17th Annual Conference, pp. 358-365, http://dx.doi.org/10.1109/ACSAC.2001.991552 10.1109/ACSAC.2001.991552Search in Google Scholar

Bojanc, R. & Jerman-Blažič, B. (2007). Towards a standard approach for quantifying an ICT security investment. Computer Standards& Interfaces, 30(4), 216-222, http://dx.doi.org/10.1016/j.csi.2007.10.013 10.1016/j.csi.2007.10.013Search in Google Scholar

Bojanc, R. & Jerman-Blažič, B. (2008). An economic modelling approach to information security risk management. InternationalJournal of Information Management, 28(5), 413-422, http://dx.doi.org/10.1016/j.ijinfomgt.2008.02.002 10.1016/j.ijinfomgt.2008.02.002Search in Google Scholar

Bojanc, R., Jerman-Blažič, B. & Tekavčič, M. (2012). Managing the Investment in Information Security Technology by use of Quantitative Modeling Approach, Information Processing &Management, 48(6), 1031-1052, http://dx.doi.org/10.1016/j.ipm.2012.01.001 10.1016/j.ipm.2012.01.001Search in Google Scholar

Cavusoglu, H., (2004). Economics of IT Security Management. In: Camp, L. and Lewis, S. (Eds), Economics of InformationSecurity, Vol. 12, pp. 71-83. Springer US, http://dx.doi.org/10.1007/1-4020-8090-5_6 10.1007/1-4020-8090-5_6Search in Google Scholar

Computer Security Institute (CSI). (2011). 2010/2011 Computer Crime and Security Survey. The 15th Annual Computer Crime and Security Survey. Retrieved January 17th, 2012, from http://_www.gocsi.com/survey Search in Google Scholar

Farahmand, F., Navathe, S., Enslow, P. & Sharp, G. (2003). Managing vulnerabilities of information systems to security incidents. In: ICEC ‚03 Proceedings of the 5th international conference onElectronic commerce, pp. 348-354. ACM: New York, USA, http://dx.doi.org/ http://dx.doi.org/10.1145/948005.948050 10.1145/948005.948050Search in Google Scholar

Gordon, A. L. & Loeb, P. M. (2001). Using information security as a response to competitor analysis systems. ACM, 44(9), 70-75, http://dx.doi.org/10.1145/383694.383709 10.1145/383694.383709Search in Google Scholar

Gordon, A. L. & Loeb, P. M. (2002). The Economics of Information Security Investment. ACM, 5(4), 438-457, http://dx.doi.org/10.1007/1-4020-8090-5_910.1007/1-4020-8090-5_9Search in Google Scholar

Gordon, A. L., & Richardson, R. (April 13, 2004). The New Economics of Information Security. Information Week, 53-56. Retrieved February 11th, 2007, from http://www.banktech.com/ aml/showArticle.jhtml?articleID=18901266 Search in Google Scholar

Hoo, S. (2000). How Much Is Enough? A Risk-Management ApproachTo Computer Security. Retrieved February 28th, 2010, from www.cl.cam.ac.uk/~rja14/econws/06.doc Search in Google Scholar

International Organization for Standardization. (2005). Informationtechnology - Security techniques - Information security managementsystems - Requirements. ISO/IEC 27001:2005. Geneva. Search in Google Scholar

International Organization for Standardization. (2009). Informationtechnology - Security techniques - Information securitymanagement systems - Overview and vocabulary. ISO/IEC 27000:2005. Geneva. Search in Google Scholar

Matsuura, K. (2009). Productivity Space of Information Security in an Extension of the Gordon-Loeb’s Investment Model. In: Managing Information Risk and the Economics of Security, pp. 99-119. Springer US, http://dx.doi.org/10.1007/978-0-387-09762-6_5 10.1007/978-0-387-09762-6_5Search in Google Scholar

McGraw, G. (2006). Software Security: Building Security In. Addison-Wesley Prof . 10.1109/ISSRE.2006.43Search in Google Scholar

National Institute of Standards and Technology. (2004). MappingTypes of Information and Information Systems to SecurityCategories. Special Publication 800-60. Gaithersburg, Md. Search in Google Scholar

National Institute of Standards and Technology (2005). An Introductionto Computer Security: The NIST Handbook. Special Publication 800-12. Gaithersburg, Md. Search in Google Scholar

Ryan, J., & Ryan, D. (2006). Expected benefits of information security investments. Computers & Security, 25(8), 579-588, http://dx.doi.org/10.1016/j.cose.2006.08.001 10.1016/j.cose.2006.08.001Search in Google Scholar

Schneier, B. (2003). Beyond Fear: Think Sensibly about Security inan Uncertain World. New York: Copernicus Books. Search in Google Scholar

Schneier, B. (2004). Secrets & Lies, Digital Security in a NetworkedWorld. New York: Wiley Publishing. Search in Google Scholar

Tanaka, H., Liu, W. & Matsuura, K. (2006). An Empirical Analysis of Security Investment in Countermeasures Based on an Enterprise Survey in Japan. In: Workshop on the Economics of InformationSecurity, UK: Cambridge. Retrieved October 12, 2012, from http://weis2006.econinfosec.org/docs/9.pdf Search in Google Scholar

Tanaka, H., Matsuura, K. & Sudoh, O. (2005). Vulnerability and information security investment: An empirical analysis of e-local government in Japan, Journal of Accounting and PublicPolicy, 24(1), 37-59, http://dx.doi.org/10.1016/j.jaccpubpol.2004.12.003 10.1016/j.jaccpubpol.2004.12.003Search in Google Scholar

Willemson, J. (2006). On the Gordon and Loeb Model for Information Security Investment. In: Workshop on the Economics ofInformation Security, UK: Cambridge, Retrieved October 12, 2012, from http://weis2006.econinfosec.org/prog.htmlSearch in Google Scholar