论文信息 - Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security

Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security

Achieving the quantitative risk assessment has long been an elusive problem in information security, where the subjective and qualitative assessments dominate. This paper discusses the appropriateness of statistical and quantitative methods for information security risk management. Through case studies, we discuss different types of risks in terms of quantitative risk assessment, grappling with how to obtain distributions of both probability and consequence for the risks. N.N. Taleb’s concepts of the Black Swan and the Four Quadrants provides the foundation for our approach and classification. We apply these concepts to determine where it is appropriate to apply quantitative methods, and where we should exert caution in our predictions. Our primary contribution is a treatise on different types of risk calculations, and a classification of information security threats within the Four Quadrants.

Andrii Shalaginov | Gaute Wangen | Andrii Shalaginov | G. Wangen

[1] Robert J. Genetski,et al. Long-Range Forecasting: From Crystal Ball to Computer , 1981 .

[2] Alexander M. Millkey. The Black Swan: The Impact of the Highly Improbable , 2009 .

[3] P. Dent. The Black Swan: The Impact of the Highly Improbable (2nd edition) , 2010 .

[4] D. Hubbard,et al. Toward Risk Assessment of Large-Impact and Rare Events , 2010 .

[5] D. Kahneman. Thinking, Fast and Slow , 2011 .

[6] Debasis Kundu,et al. Discriminating Between the Log-Normal and Log-Logistic Distributions , 2009 .

[7] Song Guo,et al. Malware Propagation in Large-Scale Networks , 2015, IEEE Transactions on Knowledge and Data Engineering.

[8] T. Aven. Misconceptions of Risk , 2010 .

[9] J. Scott Armstrong,et al. Long-Range Forecasting: From Crystal Ball to Computer , 1981 .

[10] Nassim Nicholas Taleb,et al. Errors, Robustness, and the Fourth Quadrant , 2009 .

[11] Kjell Jørgen Hole,et al. Management of hidden risks , 2013, Computer.

[12] James A. Lewis. Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats , 2002 .

[13] Katherine L. Milkman,et al. How Can Decision Making Be Improved? , 2009, Perspectives on psychological science : a journal of the Association for Psychological Science.

[14] Einar Snekkenes,et al. A Taxonomy of Challenges in Information Security Risk Management , 2013 .