1[1]Information technology --Guidelines for the management of IT Security --Part 3:Techniques for the management of IT Security [S],ISO/IEC TR 13335 -3:1998 (E),1998.
2[2]The International Organization for Standardization.Information Technology-Code of Practice for Information Security Management [S],ISO/IEC 17799:2000 (E),2000.
3[3]The International Organization for Standardization.Common Criteria for Information Technology Security Evaluation-Part 3:Security Assurance Requirements[S],ISO/IEC 15408-3:1999 (E),1999.
4[4]Carlos Villarrubia,Eduardo Fern'andez-Medina,Mario Piattini.Analysis of ISO/IEC 17799:2000 to be used in Security Metrics.http://www.scom.hud.ac.uk/scomzl/conference.2005.2.2.
5United States General Accounting Office, Accounting and Information Management Division. Information Security Risk Assessment[Z]. Augest 1999.
6National Institute of Standards and Technology. Special Publications 800-30, Risk Management Guide(DRAFT)[Z]. June 2001.
7BUTLER S A, FISCHBECK P. Multi-Attribute Risk Assessment, Technical Report CMD-CS-01-169[R]. December 2001.
8BUTLER S A. Security Attribute Evaluation Method: A Cost-Benefit Approach[Z]. Computer Science. Department, 2001.
9PELTIER T R. Information Security Risk Analysis[Z]. Rothstein Associates Inc, 2001.
