Abstract
The quantification of information security risks is currently highly subjective.
Values for information such as impact and probability, which are estimated during
risk analysis, are mostly estimated by people or experts internal or external to the
organization. Because the estimation of these values is done by people, all with
different backgrounds and personalities, the values are exposed to subjectivity.
The chance of any two people estimating the same value for risk analysis
information is rare. There will always be a degree of uncertainty and imprecision
in the values estimated. It is therefore during the data-gathering phase of risk
analysis that the problem of subjectivity lies.
To address the problem of subjectivity, techniques that mathematically deal with
and present uncertainty and imprecision are used to estimate values for
probability and impact. During this research a model for the objective estimation
of probability was developed. The model uses mostly input values that are
entirely objective, but also a small number of subjective input values. It is in
these subjective input values that fuzzy logic and Monte Carlo simulation come
into play. Fuzzy logic takes a qualitative subjective value and gives it an
objective value, and Monte Carlo simulation complements fuzzy logic by giving a
cumulative distribution function to the uncertain, imprecise input variable. In this
way subjectivity is dealt with and the result of the model is a probability value that
is estimated objectively.
The same model that was used for the objective estimation of probability was
used to estimate impact objectively. The end result of the research is the
combination of the models to use the objective impact and probability values in a
formula that calculates risk. The risk factors are then calculated objectively. A
prototype was developed as proof that the process of objective information
security risk quantification can be implemented in practice.
Prof. L. Labuschagne