Handling Imprecise Information in Risk Management

Cost evaluation often constitutes a substantial part of the total risk analysis. Often, models that use decision theoretical methods at different levels in the risk evaluation process are unable to take into account situations where the available information concerning the consequences of different incidents is vague or numerically imprecise. Based on a more general theory for decision analysis, a method for cost evaluation is suggested. It includes well-founded and computable procedures that enable a risk manager to work with interval statements and comparisons. The method is easy to implement in a computer system and does not require the use of numerically overprecise statements of probability and cost. The evaluation results in an interval that expresses the maximum and minimum expected cost with respect to the estimations of the risk manager. The interval can be further investigated with respect to the range of values consistent with the estimations. The method extends a risk evaluation process currently in use in Telia AB (formerly Swedish Telecom).

[1]  Nils J. Nilsson,et al.  Probabilistic Logic * , 2022 .

[2]  R Wrede The SBA method—a method for testing vulnerability , 1984 .

[3]  Per-Erik Malmnäs,et al.  Towards a Mechanization of Real-Life Decisions , 1994 .

[4]  Per-erik Malmnäs Axiomatic Justifications of the Utility Principle , 1994 .

[5]  Hans-Jürgen Zimmermann,et al.  Decision Making in Fuzzy Environment , 1985 .

[6]  Irving John Good,et al.  Subjective Probability as the Measure of a Non-measurable Set , 1962 .

[7]  P. J. Huber,et al.  Minimax Tests and the Neyman-Pearson Lemma for Capacities , 1973 .

[8]  I. Levi On Indeterminate Probabilities , 1974 .

[9]  Love Ekenberg Decision support in numerically imprecise domains , 1994 .

[10]  Robert H. Courtney,et al.  Security risk assessment in electronic data processing systems , 1977, AFIPS '77.

[11]  P. Fishburn Subjective expected utility: A review of normative theories , 1981 .

[12]  G. Choquet Theory of capacities , 1954 .

[13]  Love Ekenberg,et al.  A cost model for managing information security hazards , 1995, Comput. Secur..

[14]  Kurt Weichselberger,et al.  A Methodology for Uncertainty in Knowledge-Based Systems , 1990, Lecture Notes in Computer Science.

[15]  Cedric A. B. Smith,et al.  Consistency in Statistical Inference and Decision , 1961 .

[16]  Richard Bellman,et al.  Decision-making in fuzzy environment , 2012 .

[17]  Anthony N. S. Freeling Fuzzy Sets and Decision Analysis , 1980, IEEE Transactions on Systems, Man, and Cybernetics.

[18]  Eugene Tucker,et al.  Risk Analysis and the Security Survey , 1999 .

[19]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[20]  Love Ekenberg,et al.  A Support System for Real-Life Decisions in Numerically Imprecise Domains , 1995 .