Lippiatt, B.
and Fuller, S.
(2007),
An Analytical Approach to Cost-Effective, Risk-Based Budgeting for Federal Information System Security, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.7385
(Accessed April 18, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
An Analytical Approach to Cost-Effective, Risk-Based Budgeting for Federal Information System Security
Published
Author(s)
, Sieglinde K. Fuller
Abstract
The purpose of this report is to identify and illustrate an approach to simplify and strengthen capital planning for information system security in compliance with federal policy and guidance. The report provides the theoretical underpinnings of a methodology that will enable budgeting officials, system owners, and managers to select cost-effective strategies for optimizing the level of information system security to be achieved, given the level of vulnerability faced by the organization. The method of evaluation used is the Analytic Hierarchy Process (AHP), a multi-attribute decision approach. It integrates quantitative and qualitative information in a hierarchical structure in such a way that decision-makers can logically and consistently evaluate all the alternatives in a complex decision problem. An illustrative case study applies the AHP to the selection of a cost-effective security investment, given the likelihood and magnitude of threats to the information system. Expert judgments of risks, overall agency goals, and existing system weaknesses are merged with investment costs to illustrate the AHP process for calculating a measure of merit for evaluating investment alternatives.Citation
NIST Interagency/Internal Report (NISTIR) - 7385
Report Number
7385
NIST Pub Series
Pub Type
NIST Pubs
Download Paper
Citation
Created January 1, 2007, Updated November 10, 2018