Developing a Quantitative Framework Tool to Implement Information Security Risk Management

The purpose of this paper is to provide a quantitative cyber risk management framework to implement in small to medium organizations’ operational plan. This paper will analyze resources to estimate patterns of attacks, cost of assets, cost of data records, and cost/benefit analysis. With proper calculations, a small and medium business owner will be able to follow the framework and produce two outcomes: annual loss to the organization and cost of benefit estimation to discover return on investment. After these two outcomes one of three decisions will be determined by executives or stakeholders, either accept risk, transfer risk, or invest in risk management.