ABSTRACT Attacks on information systems and networks have become more numerous, sophisticated, and severe in recent years. New types of securityrelated incidents emerge more frequently. While preventing such attacks would be the ideal course of action for organizations, not all information system security incidents can be prevented. Every organization that depends on information systems and networks to carry out its mission should identify and assess the risks to its systems and its information and reduce those risks to an acceptable leve
