Information security-conscious managers of organizations have the responsibility to advise their senior management of the level of risks faced by the information systems. This requires managers to conduct vulnerability assessment as the first step of a risk analysis approach. However, a lack of real world data classification of security threats and develops a three-axis view of the threat space. It develops a scheme for probabilistic evaluation of impact of the security threats and proposes a risk management system consisting of a five-step approach. The goal is to assess the expected damages due to attacks, and managing the risk of attacks.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	British Security Standard, BS 7799, British Standards, 1999.
	2	Farahmand, F., and Navathe, S. B., Enslow, P. H., Electronic Commerce and Security -- a Management Perspective, ISS/INFORMS Seventh Annual Conference on Information Systems and Technology, San Jose, 2002, http://www.sba.uconn.edu/OPIM/CIST/
	3	Farahmand, F., and Navathe, S. B., A Risk Management Model to Support Investment Decisions on Security of Database and Information Systems, Working paper, Database Research Group, College of Computing, Georgia Institute of Technology, Atlanta, GA, 2003.
	4	Ronda R. Henning, Security service level agreements: quantifiable security for the enterprise?, Proceedings of the 1999 workshop on New security paradigms, p.54-60, September 22-24, 1999, Caledon Hills, Ontario, Canada  [doi>10.1145/335169.335194]
	5	Hoffman, L. J., "Inexact Risk Analysis", Proceedings of the IEEE 1980 International Conference on Cybernetics and Society, Boston, Mass., October 1980.
	6	ISO, Information Processing Systems-Open Systems Interconnection-Basic Reference Model, Part 2: Security Architecture, ISO 7498-2, 1989.
	7	Pate-Cornell, E., and Guikema, S., Probabilistic Modeling of Terrorist Attacks: A System Analysis Approach to Setting Priorities Among Countermeasures, Military Operation Research, October 2002.
	8	Schmucker, Kurt. Fuzzy Sets, Natural Language Computations, and Risk Analysis, Computer Science Press, 1983.
	9	Stonebumer, G., Goguen, A., and Feringa, A., Risk Management Guide for Information Technology Systems, NIST Special Publications 800-30, 2001.
	10	Detmar W. Straub , Richard J. Welke, Coping with systems risk: security planning models for management decision making, MIS Quarterly, v.22 n.4, p.441-469, Dec. 1998  [doi>10.2307/249551]
	11	Swanson, M. et al, Security Metrics Guide for Information Technology Systems, NIST Special Publications 800-55, 2002.
	12	Tarr, C. J., Cost effective perimeter security, Security and Detection, European Convention on Security and Detection, 1995, pp. 183--187.
	13	Charles Cresson Wood , William W. Banks , Sergio B. Guarro , Abel A. Garcia , Viktor E. Hampel , Henry P. Sartorio, Computer security: a comprehensive controls checklist, Wiley-Interscience, New York, NY, 1987

• Inferring constraints from multiple snapshots ACM Transactions on Graphics (TOG)   12, 4
  David Kurlander ,  Steven Feiner
  
  
• Data structures for quadtree approximation and compression Communications of the ACM   28, 9
  Hanan Samet
  
  
• A hierarchical single-key-lock access control using the Chinese remainder theorem Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
  Kim S. Lee ,  Huizhu Lu ,  D. D. Fisher
  
  
• The GemStone object database management system Communications of the ACM   34, 10
  Paul Butterworth ,  Allen Otis ,  Jacob Stein
  
  
• Putting innovation to work: adoption strategies for multimedia communication systems Communications of the ACM   34, 12
  Ellen Francik ,  Susan Ehrlich Rudman ,  Donna Cooper ,  Stephen Levine