{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T19:22:30Z","timestamp":1763580150493},"reference-count":30,"publisher":"Elsevier BV","issue":"2","license":[{"start":{"date-parts":[[2003,12,1]],"date-time":"2003-12-01T00:00:00Z","timestamp":1070236800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information & Management"],"published-print":{"date-parts":[[2003,12]]},"DOI":"10.1016\/s0378-7206(03)00044-2","type":"journal-article","created":{"date-parts":[[2003,5,19]],"date-time":"2003-05-19T17:32:55Z","timestamp":1053365575000},"page":"149-158","source":"Crossref","is-referenced-by-count":87,"title":["The IS risk analysis based on a business model"],"prefix":"10.1016","volume":"41","author":[{"given":"Bomil","family":"Suh","sequence":"first","affiliation":[]},{"given":"Ingoo","family":"Han","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"issue":"4","key":"10.1016\/S0378-7206(03)00044-2_BIB1","doi-asserted-by":"crossref","first-page":"375","DOI":"10.1145\/162124.162127","article-title":"Information systems security design methods: implications for information systems development","volume":"25","author":"Baskerville","year":"1993","journal-title":"ACM Computing Surveys"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB2","doi-asserted-by":"crossref","unstructured":"S.P. Bennett, M.P. Kailay, An application of qualitative risk analysis to computer security for the commercial sector, in: Proceedings of Eighth IEEE Annual Computer Security Applications Conference, San Antonio, TX, USA, 1992, pp. 64\u201373.","DOI":"10.1109\/CSAC.1992.228232"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB3","unstructured":"CCTA, The CCTA Risk Analysis and Management Method (CRAMM) User Guide, UK Government Central Computer and Telecommunications Agency (CCTA), IT Security and Privacy Group, London, UK, 1993."},{"issue":"2","key":"10.1016\/S0378-7206(03)00044-2_BIB4","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1016\/0960-2593(94)90002-7","article-title":"EDP risk analysis","volume":"1994","author":"Cerullo","year":"1994","journal-title":"Computer Audit Journal"},{"issue":"5","key":"10.1016\/S0378-7206(03)00044-2_BIB5","first-page":"30","article-title":"Analyzing the cost-effectiveness of computer controls and security","volume":"38","author":"Cerullo","year":"1981","journal-title":"The Internal Auditor"},{"issue":"3","key":"10.1016\/S0378-7206(03)00044-2_BIB6","doi-asserted-by":"crossref","first-page":"223","DOI":"10.1016\/S0167-4048(97)00004-7","article-title":"Risk analysis: requirements, conflicts and problems","volume":"16","author":"Ciechanowicz","year":"1997","journal-title":"Computers & Security"},{"issue":"4","key":"10.1016\/S0378-7206(03)00044-2_BIB7","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1016\/S0167-4048(98)80010-2","article-title":"A conceptual framework for information security management","volume":"17","author":"Finne","year":"1998","journal-title":"Computers & Security"},{"issue":"3","key":"10.1016\/S0378-7206(03)00044-2_BIB8","doi-asserted-by":"crossref","first-page":"234","DOI":"10.1016\/S0167-4048(00)88612-5","article-title":"Information systems risk management: key concepts and business processes","volume":"19","author":"Finne","year":"2000","journal-title":"Computers & Security"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB9","unstructured":"GAO, Executive Guide Information Security Management: Learning from Leading Organizations, United States General Accounting Office (GAO), Accounting and Information Management Division, Washington, DC, USA, 1998."},{"issue":"4","key":"10.1016\/S0378-7206(03)00044-2_BIB10","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1109\/62.756078","article-title":"Physical protection systems\u2014cost and performance analysis: a case study","volume":"14","author":"Hicks","year":"1999","journal-title":"IEEE AES Systems Magazine"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB11","unstructured":"J.A. Hoffer, J.F. George, J.S. Valacich, Modern Systems Analysis & Design, Addison\u2013Wesley\u2013Longman, New York, NY, USA, 1999."},{"key":"10.1016\/S0378-7206(03)00044-2_BIB12","unstructured":"I. Jacobson, M. Ericsson, A. Jacobson, The Object Advantage: Business Process Reengineering with Object Technology, Addison\u2013Wesley, New York, NY, USA, 1995."},{"issue":"1","key":"10.1016\/S0378-7206(03)00044-2_BIB13","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1002\/(SICI)1099-1174(199903)8:1<61::AID-ISAF156>3.0.CO;2-6","article-title":"Risk analysis for electronic commerce using case-based reasoning","volume":"8","author":"Jung","year":"1999","journal-title":"International Journal of Intelligent Systems in Accounting, Finance & Management"},{"issue":"5","key":"10.1016\/S0378-7206(03)00044-2_BIB14","doi-asserted-by":"crossref","first-page":"449","DOI":"10.1016\/0167-4048(95)00013-X","article-title":"RAMeX: a prototype expert system for computer security risk analysis and management","volume":"14","author":"Kailay","year":"1995","journal-title":"Computers & Security"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB15","unstructured":"K.C. Laudon, J.P. Laudon, Management Information Systems: Organization and Technology, third ed., Macmillan, New York, NY, USA, 1994."},{"issue":"2","key":"10.1016\/S0378-7206(03)00044-2_BIB16","doi-asserted-by":"crossref","first-page":"173","DOI":"10.2307\/249574","article-title":"Threats to information systems: today\u2019s reality, yesterday\u2019s understanding","volume":"16","author":"Loch","year":"1992","journal-title":"MIS Quarterly"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB17","unstructured":"J. Martin, Strategic Data-Planning Methodologies, Prentice-Hall, Englewood Cliffs, NJ, USA, 1982."},{"issue":"3","key":"10.1016\/S0378-7206(03)00044-2_BIB18","first-page":"14","article-title":"Developing an IS risk assessment process","volume":"1996","author":"McNamee","year":"1996","journal-title":"IS Audit & Control Journal"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB19","unstructured":"R.R. Moeller, Computer Audit, Control, and Security, Wiley, New York, NY, USA, 1989."},{"issue":"7","key":"10.1016\/S0378-7206(03)00044-2_BIB20","doi-asserted-by":"crossref","first-page":"596","DOI":"10.1016\/S0167-4048(00)07020-6","article-title":"A practical risk analysis approach: managing BCM risk","volume":"19","author":"Nosworthy","year":"2000","journal-title":"Computers & Security"},{"issue":"4","key":"10.1016\/S0378-7206(03)00044-2_BIB21","doi-asserted-by":"crossref","first-page":"363","DOI":"10.2307\/249191","article-title":"A stochastic dominance approach to risk analysis of computer systems","volume":"10","author":"Post","year":"1986","journal-title":"MIS Quarterly"},{"issue":"1","key":"10.1016\/S0378-7206(03)00044-2_BIB22","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1080\/07421222.1991.11517914","article-title":"Risk analysis for information technology","volume":"8","author":"Rainer","year":"1991","journal-title":"Journal of Management Information Systems"},{"issue":"1","key":"10.1016\/S0378-7206(03)00044-2_BIB23","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1016\/0377-2217(90)90057-I","article-title":"How to make a decision: the analytic hierarchy process","volume":"48","author":"Saaty","year":"1990","journal-title":"European Journal of Operational Research"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB24","unstructured":"T.L. Saaty, The Analytic Hierarchy Process: Planning, Priority Setting, Resource Allocation, McGraw-Hill, New York, NY, USA, 1980."},{"key":"10.1016\/S0378-7206(03)00044-2_BIB25","unstructured":"M.R. Smith, Commonsense Computer Security, McGraw-Hill, London, UK, 1993."},{"issue":"3","key":"10.1016\/S0378-7206(03)00044-2_BIB26","doi-asserted-by":"crossref","first-page":"143","DOI":"10.1016\/0378-7206(94)90038-8","article-title":"A framework for information security evaluation","volume":"26","author":"Solms","year":"1994","journal-title":"Information & Management"},{"key":"10.1016\/S0378-7206(03)00044-2_BIB27","unstructured":"D.A. Stolovitch, L.D. Robertson, Whose Risk Is It Anyway? in: Proceedings of the 10th Annual Canadian Information Technology Security Symposium, Ottawa, Canada, 1998, pp. 123\u2013148."},{"key":"10.1016\/S0378-7206(03)00044-2_BIB28","unstructured":"Texas Instruments Incorporated, A Guide to Information Engineering Using the IEF\u2122: Computer-Aided Planning, Analysis, and Design, second ed., Texas Instruments Incorporated, USA, 1990."},{"key":"10.1016\/S0378-7206(03)00044-2_BIB29","unstructured":"R. Weber, Information Systems Control and Audit, Prentice-Hall, Englewood Cliffs, NJ, USA, 1999."},{"issue":"2","key":"10.1016\/S0378-7206(03)00044-2_BIB30","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1016\/S1361-3723(99)80005-0","article-title":"Third generation risk management practices","volume":"1999","author":"Wright","year":"1999","journal-title":"Computer Fraud & Security"}],"container-title":["Information & Management"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0378720603000442?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0378720603000442?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2019,3,21]],"date-time":"2019-03-21T10:51:56Z","timestamp":1553165516000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0378720603000442"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2003,12]]},"references-count":30,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2003,12]]}},"alternative-id":["S0378720603000442"],"URL":"https:\/\/doi.org\/10.1016\/s0378-7206(03)00044-2","relation":{},"ISSN":["0378-7206"],"issn-type":[{"value":"0378-7206","type":"print"}],"subject":[],"published":{"date-parts":[[2003,12]]}}}