An initial insight into Information Security Risk Assessment practices

Much of the debate surrounding risk management in information security (InfoSec) has been at the academic level, where the question of how practitioners view predominant issues is an essential element often left unexplored. Thus, this article represents an initial insight into how the InfoSec risk professionals see the InfoSec risk assessment (ISRA) field. We present the results of a 46-participant study where have gathered data regarding known issues in ISRA. The survey design was such that we collected both qualitative and quantitative data for analysis. One of the key contributions from the study is knowledge regarding how to handle risks at different organizational tiers, together with an insight into key roles and knowledge needed to conduct risk assessments. Also, we document several issues concerning the application of qualitative and quantitative methods, together with drawbacks and advantages. The findings of the analysis provides incentives to strengthen the research and scientific work for future research in InfoSec management

Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security

Achieving the quantitative risk assessment has long been an elusive problem in information security, where the subjective and qualitative assessments dominate. This paper discusses the appropriateness of statistical and quantitative methods for information security risk management. Through case studies, we discuss different types of risks in terms of quantitative risk assessment, grappling with how to obtain distributions of both probability and consequence for the risks. N.N. Taleb’s concepts of the Black Swan and the Four Quadrants provides the foundation for our approach and classification. We apply these concepts to determine where it is appropriate to apply quantitative methods, and where we should exert caution in our predictions. Our primary contribution is a treatise on different types of risk calculations, and a classification of information security threats within the Four Quadrants

Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security

Achieving the quantitative risk assessment has long been an elusive problem in information security, where the subjective and qualitative assessments dominate. This paper discusses the appropriateness of statistical and quantitative methods for information security risk management. Through case studies, we discuss different types of risks in terms of quantitative risk assessment, grappling with how to obtain distributions of both probability and consequence for the risks. N.N. Taleb’s concepts of the Black Swan and the Four Quadrants provides the foundation for our approach and classification. We apply these concepts to determine where it is appropriate to apply quantitative methods, and where we should exert caution in our predictions. Our primary contribution is a treatise on different types of risk calculations, and a classification of information security threats within the Four Quadrants