5 ELABORATING QUANTITATIVE APPROACHES FOR IT SECURITY EVALUATION Dimitris GRITZALIS, Maria KARYDA, Lazaros GYMNOPOULOS Dept. of Informatics, Athens University of Economics and Business 76 Patission Ave., Athens GR-10434 Greece tel. +301-8203505,fax: +301-8203507, email: f1grit, mka, lazaros}@aueb.gr Abstract: Infonnation Systems security evaluation is a sine qua non requirement for effective IT security management, as well as for establishing trust among different but cooperating business partners. This paper initially provides a critical review of traditionally applied evaluation and certification schemes. Based upon this review, the paper stresses the need for an approach that is quantitative in nature and can address the problem of IS operational security. Then, such an approach is presented, mainly based on an existing complex of models (CEISOQ) for evaluating IS operation qUality. It is argued that there are certain benefits if this approach is applied in combination with the traditional qualitative ones. Key words: IT Security, Infonnation Systems Security, Evaluation, Certification Schemes, Complex for the Evaluation of Infonnation Systems Operation Quality (CEISOQ). The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: © IFIP International Federation for Information Processing 2002 10.1007/978-0-387-35586-3_46 M. A. Ghonaimy et al. (eds.), Security in the Information Society