CERTS: a comparative evaluation method for risk management methodologies and tools

Approved for public release, distribution is unlimited === This thesis develops a comparative evaluation method for computer security risk management methodologies and tools. The subjective biases inherent to current comparison practices are reduced by measuring unique characteristics of computer se...

Full description

Bibliographic Details
Main Authors: Garrabrants, William M., Ellis, Alfred W. III
Other Authors: Hoffman, Lance J.
Language:en_US
Published: Monterey, California. Naval Postgraduate School 2013
Online Access:http://hdl.handle.net/10945/30691
id ndltd-nps.edu-oai-calhoun.nps.edu-10945-30691
record_format oai_dc
spelling ndltd-nps.edu-oai-calhoun.nps.edu-10945-306912015-01-26T15:55:39Z CERTS: a comparative evaluation method for risk management methodologies and tools Garrabrants, William M. Ellis, Alfred W. III Hoffman, Lance J. Kamel, Magdi Naval Postgraduate School (U.S.) Department of Administrative Sciences Approved for public release, distribution is unlimited This thesis develops a comparative evaluation method for computer security risk management methodologies and tools. The subjective biases inherent to current comparison practices are reduced by measuring unique characteristics of computer security risk management methodologies. Standardized criteria are established and described by attributes which in turn are defined by metrics that measure the characteristics. The suitability of a method or tool to a particular organizational situation can then be analyzed objectively. Additionally, our evaluation method facilitates the comparison of methodologies and tools to each other. As a demonstration of its effectiveness, our method is applied to four distinct risk management methodologies and four risk management tools. Alternative models for utilizing the evaluation method are presented as well as possible directions for their application. Without an adequate means of comparing and evaluating risk management decision-making methodologies, the metadecision (the selection of a risk management method or tool) becomes arbitrary and capricious, thereby making an inappropriate selection more likely. Selection of an inappropriate method or tool could lead to excessive costs, misdirected efforts, and the loss of assets. The systematic and standard comparison method developed in this thesis resolves that problem. 2013-04-11T22:15:02Z 2013-04-11T22:15:02Z 1990-03 Thesis http://hdl.handle.net/10945/30691 en_US This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. As such, it is in the public domain, and under the provisions of Title 17, United States Code, Section 105, it may not be copyrighted. Monterey, California. Naval Postgraduate School
collection NDLTD
language en_US
sources NDLTD
description Approved for public release, distribution is unlimited === This thesis develops a comparative evaluation method for computer security risk management methodologies and tools. The subjective biases inherent to current comparison practices are reduced by measuring unique characteristics of computer security risk management methodologies. Standardized criteria are established and described by attributes which in turn are defined by metrics that measure the characteristics. The suitability of a method or tool to a particular organizational situation can then be analyzed objectively. Additionally, our evaluation method facilitates the comparison of methodologies and tools to each other. As a demonstration of its effectiveness, our method is applied to four distinct risk management methodologies and four risk management tools. Alternative models for utilizing the evaluation method are presented as well as possible directions for their application. Without an adequate means of comparing and evaluating risk management decision-making methodologies, the metadecision (the selection of a risk management method or tool) becomes arbitrary and capricious, thereby making an inappropriate selection more likely. Selection of an inappropriate method or tool could lead to excessive costs, misdirected efforts, and the loss of assets. The systematic and standard comparison method developed in this thesis resolves that problem.
author2 Hoffman, Lance J.
author_facet Hoffman, Lance J.
Garrabrants, William M.
Ellis, Alfred W. III
author Garrabrants, William M.
Ellis, Alfred W. III
spellingShingle Garrabrants, William M.
Ellis, Alfred W. III
CERTS: a comparative evaluation method for risk management methodologies and tools
author_sort Garrabrants, William M.
title CERTS: a comparative evaluation method for risk management methodologies and tools
title_short CERTS: a comparative evaluation method for risk management methodologies and tools
title_full CERTS: a comparative evaluation method for risk management methodologies and tools
title_fullStr CERTS: a comparative evaluation method for risk management methodologies and tools
title_full_unstemmed CERTS: a comparative evaluation method for risk management methodologies and tools
title_sort certs: a comparative evaluation method for risk management methodologies and tools
publisher Monterey, California. Naval Postgraduate School
publishDate 2013
url http://hdl.handle.net/10945/30691
work_keys_str_mv AT garrabrantswilliamm certsacomparativeevaluationmethodforriskmanagementmethodologiesandtools
AT ellisalfredwiii certsacomparativeevaluationmethodforriskmanagementmethodologiesandtools
_version_ 1716728511193939968