Threat, Vulnerability, and Consequence: A Framework for Managing Security

 It is difficult to evaluate security expenditures using traditional ROI calculations because the return on security “investments” are not based on tangibles such as profits or incomes. Instead, returns on security investments come in the form of events that do not happen. Companies should use the Security Risk Equation, which defines security risk by three variables: threat, vulnerability, and consequence, as well as the risk-based return on investment (RROI) equation. RROI can be used to evaluate competing proposals for security initiatives.

Executive Action Report (6 pgs)
Members: Sign in to see if this product is complimentary with your membership.
Non-members: Not available
(Email us to learn more about membership