CERTS: a comparative evaluation method for risk management methodologies and tools

Download
Author
Garrabrants, William M.
Ellis, Alfred W. III
Date
1991-09Advisor
Hoffman, Lance J.
Second Reader
Kamel, Magdi
Metadata
Show full item recordAbstract
This thesis develops a comparative evaluation method for computer security risk management methodologies and tools. The subjective biases inherent to current comparison practices are reduced by measuring unique characteristics of computer security risk management methodologies. Standardized criteria are established and described by attributes which in turn are defined by metrics that measure the characteristics. The suitability of a method or tool to a particular organizational situation can then be analyzed objectively. Additionally, our evaluation method facilitates the comparison of methodologies and tools to each other. As a demonstration of its effectiveness, our method is applied to four distinct risk management methodologies and four risk management tools. Alternative models for utilizing the evaluation method are presented as well as possible directions for their application. Without an adequate means of comparing and evaluating risk management decision-making methodologies, the metadecision (the selection of a risk management method or tool) becomes arbitrary and capricious, thereby making an inappropriate selection more likely. Selection of an inappropriate method or tool could lead to excessive costs, misdirected efforts, and the loss of assets. The systematic and standard comparison method developed in this thesis resolves that problem.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Collections
Related items
Showing items related by title, author, creator and subject.
-
Acquiring Artificial Intelligence Systems: Development Challenges
Housel, Thomas; Mun, Johnathan; Jones, Raymond; Shives, Timothy (Monterey, California. Naval Postgraduate School, 2021-02); NPS-PM-21-014The acquisition of artificial intelligence (AI) systems is a relatively new challenge for the U.S. Department of Defense (DoD). Given the potential for high-risk failures of AI system acquisitions, it is critical for the ... -
Analyzing the Effects of Source Selection Method, Acquisition Type, and Service Component on Acquisition Outcomes
Landale, Karen A. F.; Rendon, Rene G. (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-043For years, one of the most hotly contested debates in contracting and acquisition has been the choice of source selection method and the contract-related consequences of that choice. While policy memos encourage contracting ... -
Analyzing the Effects of Source Selection Method, Acquisition Type, and Service Component on Acquisition Outcomes
Landale, Karen A. F.; Rendon, Rene G. (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-094For years, one of the most hotly contested debates in contracting and acquisition has been the choice of source selection method and the contract-related consequences of that choice. While policy memos encourage contracting ...