Risk Management for IT Security

Rick Kazman and Daniel N. Port, University of Hawaii

David Klappholz, Stevens Institute of Technology


Security Risk Assessment

IT Security Risk Control

Risk Management in Practice

Risk Assessment Methodologies




Quantitative versus Qualitative Approaches

Management of Information Security Standards

TCSEC, ITSEC, CTCPEC, Common Criteria, and ISO 15408

BS 7799, ISO 17799, and ISO TR 13335 (GMITS)


SSE-CMM and ISO/IEC 21827

NIST Guidance Documents

Risk Models


Strategic Risk Models

Strategic Risk Management Methods

Practical Strategic Risk Models

Multitechnique Strategic Methods

Strategic Decision-Making and Competing Risks

Risk of Delay

Balancing Competing Risks for Strategic Planning

Unsuitable Sweet Spots

Practical Risk Exposure Estimation

Qualitative Methods

Empirical Approaches

Pitfalls to Avoid



Cross References


Further Reading


According to Carr, Konda, Monarch, Ulrich, & Walker (1993), risks must be managed, and risk management must be part of any mature organization's overall management practices and management structure. They identify these primary activities for managing risk:

Identify: Risks must first be identified before they can be managed.

Analyze: Risks must be analyzed so that management can make prudent decisions about them.

Plan: For information about a risk to be turned into action, a detailed plan, outlining both present and potential future actions, ...

Get Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.