Abstract
In this paper, we present and discuss a framework for security risk management, focusing on the selection of a management strategy for decision-making on security measures in particular. The framework provides guidance on the selection of a suitable type of management strategy for various types of decision-making contexts. An Information and Communication Technology case study is used to illustrate the practical implications of the framework.
Acknowledgements
The authors are grateful to two anonymous reviewers for useful comments and suggestions to an earlier version of this paper. The authors would also like to thank all the project partners in the ValueSec project for many valuable comments and suggestions. The financial support by the EU 7th Framework Programme is gratefully acknowledged.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes
1. ValueSec was a research project funded by the European Commission’s Seventh Framework Programme running from 2011 to 2013 and was a joint research project between Fraunhofer, VTT – Technical Research Center of Finland, the Centre for European Security Strategies, ATOS, EMAG, the Peace Research Institute Oslo, White Cyber Knight Ltd., Policia Local de Valencia and the University of Stavanger.
2. We refer to the consequences of an attack/incident in the following only as the consequences of an attack, for the sake of simplicity.