Quantifying information security risks using expert judgment elicitation (original) (raw)

Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma

This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.

Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk

International Journal of Computer Applications, 2014

Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset's value, exposure, frequency and existing protection measure.

Decision Support for Assessment of IT-security Risks

2013

IT-security risks can have a great impact on organizations and can cause high financial damage. To address security issues and avoid problems, knowledge about risks is vital. Therefore, a risk assessment process, which addresses security of IT-systems, is essential. However, risk assessment methods based on qualitative or quantitative approaches involve some difficulties and limitations. Therefore, in this research, we propose a risk assessment method based on semi-quantitative approach. The method provides decision support for security experts during evaluation of IT-security risks and enables assessment of threats both at a detailed level and as a whole. Imprecise information is captured from expert judgment and expressed numerically in interval form. The method is applied to a scenario in order to demonstrate its usage. We utilize a decision tool to present the outcomes. Moreover, sensitivity analysis is performed to point out most critical values.

Comparative Study of Information Security Risk Assessment Model

International Journal of Computer Applications

Analysis of security risks is crucial to the management of information systems. The same risks brought on by information assets, their potential threats, and vulnerabilities, as well as security measures, are to be prevented by security risk analysis models. Today, the majority of these models are utilized to assess risk value without recognizing the organization's security issues. As a result, decision-makers are unable to choose the best methodology for addressing security concerns. In this research paper, we have developed a Comparative Framework to carry out a thorough comparative analysis of the various models that underpin the information risk assessment process. Next, we have evaluated existing information security risk assessment models through this framework.

Comparative Study of Information Security Risk Assessment Frameworks

With the increasing need of securing organization's computing environment, a security risks management framework is essentially needed that define the security risks management process accurately. In this regard, numerous risks management frameworks have been developed, and many more are emerging every day. They all have very different perspectives and addressing problems differently, though with the same basic goal of risks mitigation in direction of information security. Information is a critical asset for every organization and hence development and implementation of strategic plans for information security risks mitigation should be an essential part of every organizations operation. This paper compares and analyzes the different activities, inputs and outputs required by each information security risk assessment models. The primary goal of the paper is to identify which information security risk assessment model assesses information security risk effectively. The comparative study helps in evaluating the models' applicability to an organization and their specific needs.

Experimental Evaluations of Expert and Non-expert Computer Users' Mental Models of Security Risks

2000

There is a critical need in computer security to communicate risks and thereby enable informed decisions by naive users. Yet computer security has not been en- gaged with the scholarship of risk communication. While the existence of malicious actors may appear at first to distinguish computer risk from environmental or medi- cal risk, the impersonal un-targeted nature of the exploitation

A Quantitative Model for Information-Security Risk Management

Engineering Management Journal, 2013

The paper presents a mathematical model to improve our knowledge of information security and risk management in contemporaneous businesses and other organizations. In the world of permanent cyber-attacks to information systems the knowledge about risk management is becoming a crucial task for minimization of the potential risks that can endeavour their operation. Therefore, it requires good knowledge of information security. The prevention of the heavy losses that may happen due to cyber-attacks and other failures in an organization is usually associated with knowledge about appropriate investment in different security measures. With the rise of the potential risks from different cyber-attacks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures.

A Hybrid Model for Information Security Risk Assessment

International Journal of Advanced Trends in Computer Science and Engineering, 2019

Many industry standards and methodologies were introduced which has brought forth the management of threats assessment and risk management of information assets in a systematic manner. This paper will review and analyze the main processes followed in IT risk management frameworks from the perspective of the threat analysis process using a threat modeling methodology. In this study, the authors propose a new assessment model which shows that systematic threat analysis is an essential element to be considered as an integrated process within IT risk management frameworks. The new proposed model complements and fulfills the gap in the practice of assessing information security risks.

Cyber Security Risk Assessment for Non Experts

This investigation introduces a novel methodology known as Cybersecurity Risk Assessment for Non-experts (CRANE), designed to simplify the intricacies involved in managing cybersecurity risks for entities and individuals devoid of specialised technical knowledge. CRANE integrates straightforward evaluation tools with instructional content, intending to enhance the cybersecurity literacy of laypersons. Employing a holistic mixed-methods approach that combines surveys and prototype testing, the study evaluates the user-friendliness and effectiveness of the framework. The results indicate a significant improvement in non-experts' abilities to identify, understand, and mitigate cyber threats, highlighting CRANE's role in enhancing cybersecurity accessibility. This initiative not only identifies gaps in current risk assessment methodologies but also offers a viable solution to foster a broader understanding and implementation of cyber resilience practises.