home *** CD-ROM | disk | FTP | other *** search
/ NetNews Usenet Archive 1993 #3 / NN_1993_3.iso / spool / comp / security / misc / 2601 < prev    next >
Encoding:
Text File  |  1993-01-25  |  938 b   |  21 lines
  1. Newsgroups: comp.security.misc
  2. Path: sparky!uunet!paladin.american.edu!howland.reston.ans.net!usc!sol.ctr.columbia.edu!The-Star.honeywell.com!umn.edu!sctc.com!smith
  3. From: smith@sctc.com (Rick Smith)
  4. Subject: Re: quantitaive risk analysis
  5. Message-ID: <1993Jan25.194004.10574@sctc.com>
  6. Keywords: risk analysis
  7. Organization: SCTC
  8. References: <1993Jan22.060220.27585@cs.uow.edu.au>
  9. Date: Mon, 25 Jan 1993 19:40:04 GMT
  10. Lines: 9
  11.  
  12. I haven't seen anything on cost/benefit and computer security risk
  13. analysis, but there are several US DOD Orange Book derived approaches
  14. that specify strength of security (actually, Orange Book rating) to
  15. security risk (actually, range of data sensitivity handled).  It's
  16. documented in the Yellow Book: CSC-STD-003-85, Guidance for Applying
  17. the TCSEC in Specific Environments.
  18.  
  19. I remember hearing a couple of papers presenting alternative rating
  20. approaches at the 1991 NCSC, and they should be in the Proceedings.
  21.