As part of their compliance process with the Basel 2 operational risk management requirements, banks must define how they deal with information security risk management. In this paper we describe work in progress on a new quantitative model to assess and aggregate information security risks that is currently under development for deployment. We show how to find a risk mitigation strategy that is optimal with respect to the model used and the available budget.
Keywords: Risk management, risk assessment, risk aggregation, risk mitigation, Basel 2, multiple-choice knapsack problem
|Title of host publication||Information Security and Privacy (Proceedings 9th Australasian Conference, ACISP 2004, Sydney, Australia, July 13-15, 2004)|
|Editors||H. Wang, J. Pieprzyk, V. Varadharajan|
|Place of Publication||Berlin|
|Publication status||Published - 2004|
|Name||Lecture Notes in Computer Science|