Navigate the Information Security Model

You can now browse through the Information Security Model! Based on feedback that I received I decided to allow users to navigate through the model in one screen.

Return on Information Security Investment

Many thanks to my colleague Pierre Felter for providing me with suggestions to amend the model and for providing some useful links at http://www.geocities.com/amz/

Free GOOGLE gmail account

A GOOGLE gmail account will be donated to the first 5 persons (who do not remain anonymous) who fill in the Questionnaire at Return on Information Security Investment Questionnaire. The submissions will be verified.

Return on Information Security Investment

HOW MUCH IS ENOUGH? HOW MUCH IS TOO MUCH!

http://www.geocities.com/amz/ gives the answer

My new website will help the information security practitioner assess the costs required to implement information security in an organisation and the returns that are obtained from such an investment. The research will be used in an MBA dissertation that is currently in progress.

If you are interested in this subject area write back to mailto:amz@yahoo.com?subject=ROISI. I have compiled an extensive compendium of links related to security , return on information security investment and other related topics.

To help in the research, kindly fill in the questionnaire, it will only take 2 minutes of your time. You will also receive a FREE pdf chart with an analysis of your current information security expenditure program. You may want to review the organisational model before completing the questionnaire.

Introduction and Rationale

As more and more organisations seek electronic ways of doing business, in particular by connecting to the Internet, they are recognising the need to do so in a secure way. According to (Scalet 2002) information security is an increasingly high-profile problem, as hackers take advantage of the fact that organizations are opening parts of their systems to employees, customers and other businesses via the Internet.

More recently, (Cachia & Micallef 2004) in their ongoing research, conclude that security was the attribute perceived to be most important by online shoppers when conducting e-commerce transactions.In surveys such as that of (Briney 2001) and (Briney & Prince 2002), it is evident that stringent IT budgets will only allow the applicability of a minimum subset of Information Security products and systems and thus it is necessary to prioritise in accordance with business objectives.

To date, little is known as to what the minimal subset should be and frequently information security practitioners use a best practice approach, (Liss 2001), to determine the information security budgets. The work is more often technically oriented with little heed paid to the economic aspects (Gordon & Loeb 2002).Although management is usually paranoid on risk management, it often takes Information Security as “for granted”, (BSI 2004), and is reluctant to invest in it, (Foster & Pacl 2002), barring the exceptional cases when the information system of the organisation is compromised.

Money spent in procedures may be less than that spent in security products themselves and this might result in cost savings, (Witty & Malik 2001), and other benefits, such as being a business enabler, (Liikanen 2004), to the company whilst maintaining the security level that the company enjoys.Calculating the return on security investment (ROSI) may not be necessarily done in monetary terms as in (Berinato 2002), but can be analysed using techniques such as the balanced scorecard (Hunt & Symons 2003). The business will be then in a position to understand whether it is under-spending or over-spending in the area of information security, depending on the results obtained.

References

Bahadur, G. 2003, Developing Security Risk Metrics, Available: [http://www.foundstone.com/resources/downloads/webcast-121903/Developing_Security_Risk_Metrics.pdf] (18 April 2004).

Berinato, S. 2002, Finally, a Real Return on Security Spending, Available: [http://www.cio.com/archive/021502/security.html] (16 April, 2004).

Briney, A. 2001, '2001 Industry Survey', Information Security, pp. 34-47.

Briney, A. & Prince, F. 2002, '2002 ISM Survey', Information Security, pp. 36-54.
BSI 2004, BSI - short informations to current topics of IT Security, Available: [http://www.bsi.bund.de/english/fb/F30image_en.pdf] (17 April 2004).

Cachia, E. & Micallef, M. 2004, Towards Effectively Appraising Online Stores, Available: [http://www.cs.um.edu.mt/~csaw/Proceedings/00.pdf] (25 September 2004).

Foster, S. & Pacl, B. 2002, Analysis of Return on Investment for Information Security.
Gordon, L. A. & Loeb, M. P. 2002, 'The Economics of Information Security Investment', ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457.

Hunt, S. & Symons, C. 2003, Aligning Security with the Business: The Balanced Scorecard, Available: [http://www.csoonline.com/analyst/report816.html].

Karofsky, E. 2001, 'Return on Security Investment: Calculating the Security Investment Equation', Secure Business Quarterly, vol. 1, no. 2.

Liikanen, E. 2004, 'European Network Security', in CEBIT, 2004 edn, Hannover.

Liss, S. 2001, 'Practical Aspects of Information Security', InfoGroup NorthWest.

Scalet, S. D. 2002, Glossary, Security and Privacy Research Center, Available: [http://www.cio.com/research/security/edit/glossary.html] (18 April 2004).

Soo Hoo, K. J. 2000, 'How Much Is Enough? A Risk-Management Approach to Computer Security', Consortium for Research on Information Security and Policy (CRISP).

Witty, R. & Malik, W. 2001, 'Security TCO Model Helps with more than cost savings', Gartner FirstTake, no. FT-13-9070.

International Factors

EXTERNAL FACTORS
INTERNATIONAL SECURITY
http://artilect.org/altman/moy.pdf [Information Warfare]
http://www.dodccrp.org/publications/pdfs.htm [Ultra Important - Information Warfare]
http://www.mors.org/meetings/oa_nco/oa_bibliography.htm
http://www.fas.org/irp/congress/1996_hr/s960605l.htm

e-GOVERNMENT
Southampton Case Study

EU
http://www.eema.org/static/isse/index.htm#
http://www.euractiv.com/cgi-bin/cgint.exe?204&OIDN=1507413&-tt=me
http://www.enisa.eu.int/
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&doc=SPEECH/04/1480RAPID&lg=EN&display= [INCLUDED]
http://www.eubusiness.com/imported/2002/12/98660
http://europa.eu.int/comm/enterprise/ict/studies/publications.htm

Corporate Security

ASSETS
http://www.dawgroup.com/mc/

FAILURE/VULNERABILITIES
http://www.cl.cam.ac.uk/users/rja14/wcf.html
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-471.pdf
http://www.research.att.com/~smb/papers/ipext.pdf [TCP/IP]
http://www.deter.com/unix/papers/dragons_bellovin.pdf [Tools]
http://www4.gartner.com/ps/asset_61048_1535.jsp
http://www.tracking-hackers.com/papers/berferd.pdf

THREATS
http://www.securityfocus.com/infocus/1768 [SQL injection]
http://www.all.net/journal/ntb/cause-and-effect.html [Threats, Attacks]

INSIDER THREATS
http://www.symantec.com/region/reg_ap/smallbiz/library/
insider.html

Security Methods

SECURITY METHODS
ENCRYPTION & SECURITY METHODS
http://csrc.nist.gov/CryptoToolkit/dss/ecdsa/NISTReCur.pdf [Elliptical Curves]
http://news.com.com/2100-7345-5180510.html?part=dht&tag=ntop [XML]
http://www.infoworld.com/article/04/02/16/07NNforum_1.html [XML Firewall]

2-FACTOR AUTHENTICATION
http://www.nwfusion.com/newsletters/dir/2004/0614id1.html
http://www.itsecurity.com/asktecs/may901.htm
http://www.net-security.org/press.php?id=1805
http://www.wikidsystems.com/
http://motp.dyndns.org/
http://www.megaas.co.nz/

SECURITY PRODUCTS
http://www.scanalert.com/Technical
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/
networking_solutions_package.html

POLICIES, STANDARDS & GUIDELINES

POLICIES
http://www.information-security-policies-and-standards.com/download.htm

DOCUMENTATION
http://crpit.com/confpapers/CRPITV21AFung.pdf

IT GOVERNANCE
http://www.e-mountaincorp.com/securitylinks.html
http://www.itgovernance.co.uk/page.home
http://www.theiia.org/eSAC/pdf/BLG0331.pdf
http://www.isaca.org.pl/PIR/POLCACS2001/williams1_eng.pdf

COBIT/ ITL/ ISO 17799
http://infosecuritymag.techtarget.com/2002/mar/iso17799.shtml
http://www.dti-bestpractice-tools.org/healthcheck/
http://www.itsmf.org.za/Presentations/CobiT%20ITIL%20and%20BS7799.pdf
http://www.all.net/books/audit/bs7799.html
http://www.riskwatch.com/rw17799.asp
http://www.securityrisk.co.uk/bs7799/cobdown.htm
http://www.infosyssec.net/infosyssec/secpol1.htm
http://www.giac.org/practical/GSEC/Marc_Vaughan_GSEC.pdf
http://emea.bsi-global.com/InformationSecurity/Overview/WhatisanISMS.xalter
http://www.itsc.org.sg/standards_news/2001-09/TaewanPark-Korea-Business-Experience-of-BS7799-Certification.pdf
http://www.securityauditor.net/iso17799/
http://www.dnv.no/Binaries/BS7799_brochure_tcm28-9012.pdf
http://www.itsc.org.sg/standards_news/2001-09/JohnSnare-Australia-ISO-IEC-17799-Australia-Perspective.pdf
http://www.netlab.hut.fi/opetus/s38153/k2004/
Lectures/ISO17799L_Overview_TKK.pdf
http://assetz.com/AssetzConsulting/dloads/
BS7799_CRAMM_Explained_Assetz11-02.pdf
http://www.gammassl.co.uk/bs7799/The%20Newly
%20Revised%20Part%202%20of%20BS%207799ver3a.pdf
http://www.hkcert.org/ppt/event106/isms.pdf
http://www.sans.org/score/checklists/ISO_17799_checklist.pdf
http://www.pelttech.com/issa/Preparing%20for%20ISO%2017799.pdf
http://www.lucent.com/livelink/209341_Whitepaper.pdf
http://www.software.org/pub/externalpapers/
UnderstandingISO17799.pdf
http://www.software.org/pub/externalpapers/UsingISO17799.pdf
http://www.itsc.org.sg/standards_news/2003-03/introduction_to_ISMSWG_status_update.pdf
http://www.imonline.co.uk/aboutthefirm/downloads/
pages_from_BG_review_march_04.pdf
http://www.netegrity.com/PDFS/REGULATORY/BS7799%20Sheet.PDF
http://www.guidancesoftware.com/corporate/
whitepapers/downloads/ISO17799.pdf
http://www.phi-solutions.com/documents/ISO17799
_SSE_CMM_comparison.pdf
http://www.iso-17799.com/evaluate.htm
http://www.itsc.org.sg/synthesis/2001/itsc-synthesis2001-
thowchang-siewmun-alvinfoo-isms.pdf
http://documents.iss.net/marketsolutions/ISOMatrix.pdf

OECD Guidelines
http://www.oecd.org/document/42/0,2340,
en_2649_34255_15582250_1_1_1_1,00.html
http://www.oecd.org/dataoecd/16/22/15582260.pdf [latest OECD guidelines]
http://www.oecd.org/document/19/0,2340,
en_2649_34255_1815059_1_1_1_1,00.html [Original OECD guidelines]
http://www.oecd.org/document/18/0,2340,en_2649
_34255_1815186_1_1_1_1,00.html [1980 OECD guidelines]
http://webdomino1.oecd.org/COMNET/STI/IccpSecu.nsf?OpenDatabase [OECD - Towards a culture of security]
http://www.olis.oecd.org/olis/2003doc.nsf/
43bb6130e5e86e5fc12569fa005d004c/
81dd07040a1c0e43c1256eb6005423d4/$FILE/JT00166335.PDF [OECD Survey]

EU Guidelines
http://europa.eu.int/eur-lex/en/com/cnc/2001/com2001_0298en01.pdf
http://europa.eu.int/information_society/eeurope/2005/
doc/all_about/csirt_handbook_v1.pdf
http://www.enisa.eu.int/

SECURITY CONTEXTS

PHYSICAL SECURITY
http://www.stormingmedia.us/74/7426/A742604.html
http://www.tisp.org/files/pdf/criticalinfreport.pdf [Critical Infrastructure]

SECURITY IN E-COMMERCE
http://www.ecommercetimes.com/perl/section/security/ [Security in e-commerce]

SME & Security
http://www.giac.org/practical/GSEC/Jeff_Herbert_GSEC.pdf
http://www.giac.org/practical/GSEC/Anna_Smears_GSEC.pdf
http://www.dmst.aueb.gr/dds/pubs/jrnl/1999-IMCS-Soft-Risk/html/soho.html
http://www.cio.com.au/index.php?id=119118373&fp=2&fpid=2%20
http://www.cisco.com/global/DK/docs/print/
sikkerhedsseminar_2003_idc.pdf [Security & SME]

MOBILE USERS
http://www.securityfocus.com/infocus/1777

PEOPLE
http://www.economist.com/surveys/displayStory.cfm?story_id=1389553 [See other links in page]
http://www.kevinmitnick.com/news-030300-senatetest.html
http://www.humanfirewall.org/default.asp [Human Firewall]
http://www.humanfirewall.org/SMIReport/SMIReport2003.pdf [Survey]
http://ted.see.plym.ac.uk/nrg/presentations/Security_Training.htm [Awareness]
http://news.com.com/2009-1001-843375.html
http://www.computer.org/security/V2n5/gei.htm [Usability]
http://infosecuritymag.techtarget.com/articles/1999/buck.shtml [Salaries]

SECURITY DATA

SECURITY METRICS
http://www.securitymetrics.org/content/
http://www.foundstone.com/resources/downloads/webcast-121903/Developing_Security_Risk_Metrics.pdf [DONE]

SECURITY COSTS
http://www.netcordia.com/tools/whitepapers.html
http://www.notablesoftware.com/Papers/SecCost.html
http://www.itl.nist.gov/fipspubs/fip191.htm
http://infosecuritymag.techtarget.com/articles/1999/
enough.shtml [Budgets]
http://infosecuritymag.techtarget.com/articles/1999/chart2.shtml [Expenditure]
http://www.cic.uiuc.edu/groups/ITSecurityWorkingGroup/
archive/Report/ICAMPReport2.pdf

PRICING SECURITY
http://citeseer.ist.psu.edu/rd/41699131%2C489327%2C1%2C0.25%2CDownload/http%3AqSqqSqwww.cert.orgqSqresearchqSqiswqSqisw20
00qSqpapersqSq54.pdf
http://citeseer.ist.psu.edu/camp00pricing.html
http://citeseer.ist.psu.edu/577738.html
http://citeseer.ist.psu.edu/schechter02quantitatively.html
http://citeseer.ist.psu.edu/578826.html
http://infosecuritymag.techtarget.com/2002/aug/
securitymarket.shtml

Surveys
http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf
http://www.csoonline.com/csoresearch/report35.html
http://www.security-survey.gov.uk/
http://www.cs.um.edu.mt/~csaw/Proceedings/00.pdf [Very Recent Survey re: e-commerce]
http://infosecuritymag.techtarget.com/ss/
0,295796,sid6_iss486_art1005,00.html [Comparison of antivirus suppliers support]
http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/csi-fbi2000.pdf [FBI Survey]

ROI, ROSI & ALE

ROI
http://www.3com.co.uk/promotions/roi/
http://answers.google.com/answers/threadview?id=222921
http://www.itsecurity.com/asktecs/oct3201.htm

ROI & Economics of Information Security
http://www.getronics.com/NR/rdonlyres/ejhsokxgywr3iom
4mn4vq43l73fmqzsqbsnz47jd2thnvawjlceksww2zuu3yd3
3tnybjcjmjbtbmyfyxa2r4nhpure/wp_analysis_
return_on_investment.pdf [ROSI]
http://whitepapers.zdnet.co.uk/0,39025942,60064781p,00.htm [ROSI]
http://www.sbq.com/sbq/rosi/ [ROSI]
http://www.eecs.harvard.edu/~stuart/papers/fc03.pdf [Harvard Paper]
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/econ.pdf
http://www.dtc.umn.edu/weis2004/
http://www.dtc.umn.edu/weis2004/agenda.html [Ultra Recent!]
http://www.cl.cam.ac.uk/users/rja14/econsec.html [Very Good Link]
http://www.cl.cam.ac.uk/users/rja14/econws.html [Basis of history in literature review]
http://itresearch.forbes.com/detail/RES/1057858077_908.html
http://www.intel.com/network/connectivity/emea/eng/
solutions/security/roi.htm
http://csrc.nist.gov/roi/proceedings.html
http://csrc.nist.gov/roi/wksps0603-notes/NIST-Wkshp-bothsessions.pdf [Good argument with respect to ROI & NPV]
http://infosecuritymag.techtarget.com/2002/jul/
curmudgeons_corner.shtml
http://www.umiacs.umd.edu/partnerships/ltsdocs/Gordon-Loeb%2003%20NSA_presentation.pdf [Economic aspects]
http://www.rainbow.com/library/8/
EconomicsAspectsOfInformationSecurity.pdf [Contact authors for extra material]
http://www.cio.com/archive/021502/security.html
http://www.cio.com/archive/021502/security_sidebar.html
http://imailab-www.iis.u-tokyo.ac.jp/Members/kanta/CEF2003.pdf
http://www.whitehouse.gov/omb/inforeg/infopoltech.html [Spending]
http://www.eecs.harvard.edu/~stuart/papers/thesis.pdf [PhD thesis]
http://citeseer.ist.psu.edu/578826.html
http://ideas.repec.org/s/sce/scecf3.html
http://www.umiacs.umd.edu/partnerships/ltsdocs/Gordon-Loeb%2003%20NSA_presentation.pdf
http://www.umiacs.umd.edu/docs/umiacspresentation.pdf
http://www.financetech.com/utils/printableArticle.jhtml?articleID=18901266
http://www.secure-biz.net/Spring2004/speaker_presentation/Lawrence%20Gordon.ppt
http://www.secure-biz.net/Spring2004/presentations.htm
http://www.cpppe.umd.edu/rhsmith3/agenda.htm [2nd Annual Workshop]
http://www.dtc.umn.edu/weis2004/agenda.html [3rd Annual Workshop]
http://www.fsl.cs.sunysb.edu/docs/cost-acm_ccs/acm_ccs.html
http://students.depaul.edu/~gmahjub/ [THESIS DRAFT]
http://www.computerworld.com/managementtopics/
http://www.securityfocus.com/infocus/1608 [ROI of IDS]
http://www.nai.com/us/promos/corp/article2.asp [ROI of IDS]
http://www.continuitycentral.com/news0312.htm [IDS Market Failure]
ROIT White Paper [Return on Information Technology]
Economics of Cyber Crime [NPV approach]
http://www.oict.nsw.gov.au/content/7.1.15.ROSI.asp
http://www.corsaire.com/articles/030317-rosi.html
http://comment.cio.com/talkback/021502.html [ROSI]

OVERSPENDING/UNDERSPENDING
http://news.com.com/2010-1071-966448.html [Is IT Overspending in Security?]

INFORMATION ECONOMICS
http://citeseer.ist.psu.edu/rd/0,513304,1,0.25,Download/
http:qSqqSqwww.coiera.comqSqpapersqSqjamia-00-infoecon.pdf
http://www.sims.berkeley.edu/~hal/Papers/mattioli/mattioli.pdf

ALE
http://comment.cio.com/comments/8408.html
http://keith.mccammon.org/docs/loss_expectancy.php
http://comment.cio.com/comments/8408.html
http://citeseer.ist.psu.edu/george98practical.html [Assurance, mention of ALE]
http://citeseer.ist.psu.edu/392822.html
http://www.cccure.org/Documents/HISM/229-230.html
http://www.linuxjournal.com/article.php?sid=5567
http://www.riskinfo.com/cyberisk/Watersupply/SCADA-thesis.html [Origin of ALE???]
http://csrc.nist.gov/publications/fips/fips31/fips31.pdf [First mention of ALE]
http://www.cs.kau.se/~albin/Documents/F18-RiskAnalysis.pdf
http://www.spybusters.com/SS0202.html
http://www.drj.com/new2dr/w3_030.htm
http://linuxsecurity.org/feature_stories/feature_story-98.html [Good article]

RISK

RISK ASSESSMENT
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
http://www.nytimes.com/library/financial/columns/060100econ-scene.html#1
http://www.ey.com/global/download.nsf/Singapore/
A_Strategic_Guide_to_Enterprise_Security/$file/
CLevel%20Asia%20Security%20Supplement.pdf
http://www.foundstone.com/ [Very Good Link: Contact Mc Afee: yaniv_alfi@mcafee.com]
http://www.techdirectory.ws/Business_Software/
Project_Management/Risk_Analysis/default.aspx [Risk Analysis]
http://www.analytics-solutions.com/resources.html [Risk Measurement]
http://www.active-information.co.uk/findoutmore.htm [Risk Analysis, Cobra]
http://www.gloriamundi.org/picsresources/jjjr.pdf [Methodology for Risk Assessment]
http://all.net/journal/netsec/1998-12.html [Balancing Risk]
http://csrc.nist.gov/nissc/1997/proceedings/331.pdf [Risk Analysis]
http://csrc.nist.gov/nissc/1996/papers/NISSC96/
paper012/nissc96.pdf [Risk Assessment]
http://www.riskreports.com/htdocs/publications.html [Risk Management Resources]
http://www.oit.nsw.gov.au/pdf/4.4.16.IS1.pdf [Security Risk Management]

TOOLS
http://csrc.nist.gov/asset/ [Automated Security Self Assessment Tool]
http://csrc.nist.gov/publications/nistpubs/500-174/sp174.txt [Guide for Risk tools]
http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf [Self Assessment Tool]
http://www.sandstorm.net/security/resources?cid=5428 [Various Tools]
http://www.cs.kau.se/IFIP-summerschool/preceedings/Jung.pdf [Risk analysis Tools]
http://scolar.vsc.edu:8004/VSCCAT/ACB-0689 [Decision Analysis]
http://www.sans.org/rr/papers/5/83.pdf [Risk analysis Tools]
Prioritisation of Risk
http://www.cs.ucl.ac.uk/staff/W.Emmerich/lectures/3C05-01-02/aswe3.pdf
http://www.microsoft.com/technet/security/
guidance/secrisk/default.mspx [Microsoft Security Risk Management Guide]
http://www.informationweek.com/698/98iursk.htm [Acceptable Risk]

SERIM (Software Engineering RIsk Management) - IEEE
http://www.devicelink.com/mddi/archive/97/06/017.html
http://www.risksig.com/members/resources/risks.htm

RISKMAN - EU Project
http://www.eas.asu.edu/~sdm/merrill/riskman.html

Security Basics

DEFINITION
http://citeseer.ist.psu.edu/rd/60115588,576594
,1,0.25,Download/http://citeseer.ist.psu.edu/cache/papers/cs/
27723/http:zSzzSzcs-www.cs.yale.eduzSzhomeszSzjfzSzAFMP.pdf/
towards-better-definitions-and.pdf

CIA
http://www.computer.org/security/V2n5/bas.htm [More than CIA]
http://www.ezrisk.co.uk/Info_Sec.html [Security Definition]

HISTORY
http://www.rand.org/publications/R/R609.1/R609.1.html
http://csrc.nist.gov/publications/history/#paperlist
http://csrc.nist.gov/publications/history/ande72.pdf [Very good]
http://csrc.nist.gov/publications/fips/ [Important - FIPS 31,87,65(obsolete)]
http://mixter.void.ru/is-evol.html
http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper005/ncsc96.pdf
http://csrc.nist.gov/cc/CC-v2.1.html
http://www.iwar.org.uk/comsec/resources/standards/itsec.htm
http://www.commoncriteriaportal.org/public/consumer/index.php?menu=1 [Common Criteria]
http://www.packetstormsecurity.org/docs/rainbow-books/ [Very Good]


SECURITY GENERAL
http://www.noticebored.com/html/general.html [Excellent Site]
http://www.gtisc.gatech.edu/
http://www.gtisc.gatech.edu/SecureWorld.PPT
http://itresearch.forbes.com/rlist/920045790_12/Network-Security-Software.html
http://www.mcandl.com/computer-security.pdf
http://vig.prenhall.com/catalog/academic/product/
1,4096,0130355488,00.html [See sample chapters!]
http://ted.see.plym.ac.uk/nrg/presentations.htm [Links]
http://www.uscib.org/docs/information_security_biac_icc.pdf
http://www.anu.edu.au/people/Roger.Clarke/EC/IntroSecy.html [GOOD INTRODUCTION]
http://www.counterpane.com/literature.html
http://sec.ietf.org/
http://mixter.void.ru/papers.html
http://mixter.void.ru/protecting.html [Paper]
http://www.zdnet.co.uk/search/?collection=whitepapers&query=Security+Standards [Many good links]
http://sunnettalk.mentorware.net/content/subsystems/12056/courses/
SNTA-20030814/0001/mwclassframe.html?classid=25219
http://www.nap.edu/books/NI000361/html/ [BOOKS]
http://books.nap.edu/books/0309043883/html/index.html [Computers at Risk]
http://www.sims.berkeley.edu/~tygar/papers.htm
http://www.sandstorm.net/security/resources?cid=88374
http://www.cs.nps.navy.mil/people/faculty/irvine/publications.html
http://www.cccure.org/Documents/HISM/ewtoc.html
http://www.notablesoftware.com/secwatch.html
http://business.att.com/insight/
http://www.research.att.com/~smb/papers/ [Many Resources]
http://veerle.duoh.com/index.php?id=P253 [Security the Reality]
http://www.techdirectory.ws/Computer_Security/default.aspx [Computer Security]
http://www.tpub.com/content/istts/14222/index.htm
http://www.cimu.gov.mt/htdocs/section.asp?s=76 [CIMU]
http://infosecuritymag.techtarget.com/ [Many Links]
http://infosecuritymag.techtarget.com/archives2001.shtml [Many Links]
http://all.net/

MANAGEMENT OF INFORMATION SECURITY
http://reform.house.gov/UploadedFiles/Best%20Practices%20Bibliography.pdf [Many Links]
http://adt.curtin.edu.au/theses/available/adt-WCU20020522.151935/ [Thesis]
http://www.library.uow.edu.au/adt-NWU/public/adt-NWU20031126.142250/ [Thesis]
https://www.qualys.com/docs/yankee-whitepaper.pdf [BEST Practices]
http://www.issa.org/PDF/research-BSA-ISSA.pdf [SURVEY]
http://technologyreports.net/securityinnovator/index.html?articleID=3339
http://technologyreports.net/securityinnovator/?articleID=3234
http://infosecuritymag.techtarget.com/ss/0,295796,
sid6_iss407_art814,00.html
http://www.securitydocs.com/links/2128 [Evolution of Security Mindset]
http://citeseer.ist.psu.edu/16678.html
http://www.ieee-security.org/cfp.html
http://all.net/journal/netsec/index.html [Management of Network Security]

BEST PRACTICE
http://www.dti.gov.uk/bestpractice/technology/security.htm (Very Good site)
http://www.dti.gov.uk/bestpractice/assets/hardfacts.pdf

NoticeBoard Links to my site

Today, http://www.noticebored.com/html/general.html made a link to my website: http://www.geocities.com/amz/ . Many thanks to Dr. Hinson for his suggestions and for maintaining the resourceful website at http://www.noticebored.com/.