Voss, T.Lenstra, Arjen K.2011-03-292011-03-292011-03-29200410.1007/978-3-540-27800-9_34https://infoscience.epfl.ch/handle/20.500.14299/65744As part of their compliance process with the Basel 2 operational risk management requirements, banks must define how they deal with information security risk management. In this paper we describe work in progress on a new quantitative model to assess and aggregate information security risks that is currently under development for deployment. We show how to find a risk mitigation strategy that is optimal with respect to the model used and the available budget.risk managementrisk assessmentrisk aggregationrisk mitigationBasel 2multiple-choice knapsack problemtext::conference output::conference proceedings::conference paper