author Vorster, Anita 2008-06-04T11:27:02Z 2008-06-04T11:27:02Z 2008-06-04T11:27:02Z 2005 http://hdl.handle.net/10210/527 The quantification of information security risks is currently highly subjective. Values for information such as impact and probability, which are estimated during risk analysis, are mostly estimated by people or experts internal or external to the organization. Because the estimation of these values is done by people, all with different backgrounds and personalities, the values are exposed to subjectivity. The chance of any two people estimating the same value for risk analysis information is rare. There will always be a degree of uncertainty and imprecision in the values estimated. It is therefore during the data-gathering phase of risk analysis that the problem of subjectivity lies. To address the problem of subjectivity, techniques that mathematically deal with and present uncertainty and imprecision are used to estimate values for probability and impact. During this research a model for the objective estimation of probability was developed. The model uses mostly input values that are entirely objective, but also a small number of subjective input values. It is in these subjective input values that fuzzy logic and Monte Carlo simulation come into play. Fuzzy logic takes a qualitative subjective value and gives it an objective value, and Monte Carlo simulation complements fuzzy logic by giving a cumulative distribution function to the uncertain, imprecise input variable. In this way subjectivity is dealt with and the result of the model is a probability value that is estimated objectively. The same model that was used for the objective estimation of probability was used to estimate impact objectively. The end result of the research is the combination of the models to use the objective impact and probability values in a formula that calculates risk. The risk factors are then calculated objectively. A prototype was developed as proof that the process of objective information security risk quantification can be implemented in practice. Prof. L. Labuschagne en Risk assessment Monte Carlo method Fuzzy logic Computer security Information technology risk assessment The quantification of information security risk using fuzzy logic and Monte Carlo simulation. Thesis