This paper introduces previous studies that propose a model supporting decision-making on information security risk treatment by the top management of an organization and its assessment using statistical data. The reason that statistical data are used to assess the model is that the data necessary for information security risk treatment are not generally disclosed for security reasons. A verification using actual data is generally difficult.

This paper therefore proposes improvements to the assessment of the model using statistical data. A method to calculate the values used in the model, closer to the actual data is proposed to have more effective results by the model.

1. [1] R. Kawasaki (Aiba) and T. Hiromatsu, “Proposal of a Model Supporting Decision-Making on Information Security Risk Treatment,” World Academy of Science, Engineering and Technology, International Science Index, Economics and Management Engineering, Vol.1, No.4, 218, 2014.
2. [2] R. Kawasaki, “Doctor thesis: Proposal of a model supporting organizational information security risk treatment and its applicability study – Structure and operation of a model which adapts to ISO/IEC 27001:2013 and ISO/IEC 27002:2013,” Institute of Information Security, Thesis No.28, 2015.
3. [3] R. Kawasaki and T. Hiromatsu, “Verification of a Model Supporting Decision-Making on Information Security Risk Treatment by Using Statistical Data,” Economy, trade and industry statistics study, Vol.43, No.3, pp. 32-52, 2015.
4. [4] The Ministry of Economy, Trade and Industry, “The Actual Conditions Survey on 2014 of Information Processing,” 2015, http://www.meti.go.jp/statistics/zyo/zyouhou/result-2/h26jyojitsu.html [accessed August 1, 2017]
5. [5] ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls.
6. [6] JIS Q 27002:2014 – Information technology – Security techniques – Code of practice for information security controls.