Quantifying information security risks using expert judgment elicitation

In the information security business, 30 years of practical and theoretical research has resulted in a fairly sophisticated appreciation for how to judge the qualitative level of risk faced by an enterprise. Based upon that understanding, there is a practical level of protection that a competent security manager can architect for a given enterprise. It would, of course, be better to use a quantitative approach to risk management, but, unfortunately, sufficient quantitative data that has been scientifically collected and analyzed does not exist. There have been many attempts to develop quantitative data using traditional quantitative methods, such as experiments, surveys, and observations, but there are significant weaknesses apparent in each approach. The research described in this paper was constructed to explore the utility of applying the well-established method of expert judgment elicitation to the field of information security. The instrument for eliciting the expert judgments was developed by two information security specialists and two expert judgment analysis specialists. The resultant instrument was validated using a small set of information security experts. The final instrument was used to elicit answers to both the calibration and judgment questions through structured interviews. The data was compiled and analyzed by a specialist in expert judgment analysis. This research illustrates the development of prior distributions for the parameters of models for cyber attacks and uses expert judgment results to develop the distributions.

[1]  Roger M. Cooke,et al.  On the performance of social network and likelihood-based expert weighting schemes , 2008, Reliab. Eng. Syst. Saf..

[2]  Desheng Dash Wu,et al.  A risk analysis model in concurrent engineering product development. , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[3]  Robert L. Winkler,et al.  An Assessment of the Risk of Chronic Lung Injury Attributable to Long-Term Ozone Exposure , 1995, Oper. Res..

[4]  Jason R. W. Merrick,et al.  A Risk Management Procedure for the Washington State Ferries , 2001, Risk analysis : an official publication of the Society for Risk Analysis.

[5]  R. Cooke Experts in Uncertainty: Opinion and Subjective Probability in Science , 1991 .

[6]  Lawrence Bodin,et al.  Information security and risk management , 2008, CACM.

[7]  Vedat Verter,et al.  Modeling of Transport Risk for Hazardous Materials , 1998, Oper. Res..

[8]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[9]  Roger M. Cooke,et al.  TU Delft expert judgment data base , 2008, Reliab. Eng. Syst. Saf..

[10]  J. H. Phillips,et al.  Reliability and risk in pressure vessels and piping , 1993 .

[11]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[12]  Desheng Dash Wu,et al.  Enterprise risk management: coping with model risk in a large bank , 2010, J. Oper. Res. Soc..

[13]  Roger M. Cooke,et al.  Response to discussants , 2008, Reliab. Eng. Syst. Saf..

[14]  A. O. Pittenger Introduction to Stochastic Processes (Erhan Çinlar) , 1977 .

[15]  Matthew J. Liberatore,et al.  A Survey of Operations Research Models and Applications in Homeland Security , 2006, Interfaces.

[16]  Loren Paul Rees,et al.  Necessary measures: metric-driven information security risk assessment and decision making , 2007, CACM.

[17]  Lara Khansa,et al.  Quantifying the benefits of investing in information security , 2009, Commun. ACM.

[18]  James J. Heckman Response to the discussants , 2000 .

[19]  Hiroshi Yamazaki,et al.  An approach to potential risk analysis of networked chemical plants , 2000 .

[20]  Seth D. Guikema,et al.  Programmatic Risk Analysis for Critical Engineering Systems Under Tight Resource Constraints , 2003, Oper. Res..

[21]  Elizabeth A. Casman,et al.  Elicitation of Expert Judgments of Uncertainty in the Risk Assessment of Herbicide‐Tolerant Oilseed Crops , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[22]  Julie J. C. H. Ryan THE USE , MISUSE , AND ABUSE OF STATISTICS IN INFORMATION SECURITY RESEARCH , 2004 .

[23]  Alfredo Garcia,et al.  Empirical Analysis of the Effects of Cyber Security Incidents , 2009, Risk analysis : an official publication of the Society for Risk Analysis.

[24]  Erhan Çinlar,et al.  Introduction to stochastic processes , 1974 .

[25]  Arnold Barnett,et al.  Free-Flight and en Route Air Safety: A First-Order Analysis , 2000, Oper. Res..