You may find the paper on risk management at http://www.auditnet.org/docs/riskmgmt.PDF useful. Perhaps the one at http://www.auditnet.org/docs/riskmeth.PDF.
BTW: Be very, very careful with the canned tools - I have observed a tendency for there to be some very "odd" assumptions behind those curtains... Jim Infosec Risks wrote: > > Hi, I am quite new to the list but I find many > of your discussions quite interesting. > > At the moment I am working and researching in the > field of infosec risk evaluation and risk management. > Can anybody help me find some useful links, > papers, thesis, tools, anything useful in this field? > > My idea is to try prove to the IT management in a > company they need to invest certain amount of > money into the protection of their most valuable > assets/information systems. > > Sometimes it is hard to evaluate the real value of > information/assets processed in a company. > How to quantify the risks and in the end how > can be the identified risks met? The goal is > to provide BS7799 compliance of the security > policy but again - the most feasible. > > Most likely companies should not invest more money > into their information security than the value > of the possible loss is (in case of an incident)? > > Thanks for your help. > > BR, > > Sand@ > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566