Date Added: Jan 2010
Information security is relatively new field that is experiencing rapid growth in terms of malicious attack frequency and the amount of capital that firms must spend on attack defense. This rise in security expenditures has prompted corporate leadership teams to scrutinize corporate security budgets. Information security risk, and the related financial impact, is not as easily calculated as other traditional sources of enterprise risk. This paper provides one method by which a firm may calculate the likelihood of a successful cyber security attack and the resulting financial impacts. The method incorporates annual loss expectancy and cost-benefit, which are tools familiar to most mid-level managers responsible for budget creation.