Quantification, Optimization and Uncertainty Modeling in Information Security Risks: A Matrix-Based Approach

Quantification, Optimization and Uncertainty Modeling in Information Security Risks: A Matrix-Based Approach

Sanjay Goel (University at Albany, SUNY, USA) and Eitel J.M. Lauría (Marist College, USA)
Copyright: © 2010 |Pages: 20
DOI: 10.4018/irmj.2010040103


In this paper, the authors present a quantitative model for estimating security risk exposure for a firm. The model includes a formulation for the optimization of controls as well as determining sensitivity of the exposure of assets to different threats. The model uses a series of matrices to organize the data as groups of assets, vulnerabilities, threats, and controls. The matrices are then linked such that data is aggregated in each matrix and cascaded across the other matrices. The computations are reversible and transparent allowing analysts to answer what-if questions on the data. The exposure formulation is based on the Annualized Loss Expectancy (ALE) model, and uncertainties in the data are captured via Monte Carlo simulation. A mock case study based on a government agency is used to illustrate this methodology.
Article Preview


Risk analysis has existed as a formal discipline for a long time in fields such as finance, nuclear energy, aviation, pharmaceuticals, etc. However, information security risk analysis poses unique issues, such as complexity of the computing infrastructure as well as lack of data and formal models requiring a rethinking of the entire process. Complex interdependencies between systems and assets make the risk analysis process unwieldy and onerous (Anderson, 2001a). These dependencies need to be carefully examined to conduct a meaningful risk analysis (Soo Hoo, 2000). An innocuous vulnerability in an obscure system could seriously influence the security of crucial data and systems as well as affect privacy and safety. Humans form a critical link in the information security chain. Consequently, risk modeling requires behavioral approaches that can capture user behavior as well as hacker motivations. Identifying these interdependencies is the most critical, and perhaps the hardest step in risk analysis (Loch, Carr, & Warkentin, 1992). Once the interdependencies are identified, the second step involves collecting data that will quantify these interdependencies and translate them into monetary losses. This is a challenging task since the data currently available is neither reliable nor static, necessitating large investment of resources in collecting and updating such data. The final step requires identification of risk controls and quantification of their effect on reducing exposure. This again, is a data intensive problem that poses significant challenges. Incomplete determination of interdependencies or lack of accurate data can lead to too many or too few resources committed towards security management.

Rapid evolution in the field of information technology makes risk analysis even more burdensome since changes can make the risk analysis obsolete in the short term. Due to the difficulties associated with a formal information security risk analysis and the cost involved, most organizations base their security strategy on standard guidelines issued by government agencies (NIST, 1996) and vendors of security solutions rather then carefully examining their specific needs. Without understanding their security requirements, they instinctively react to security bulletins rather than prepare rationally planned responses to potential threats.

Fundamentally, risk analysis is an economic problem where a cost-benefit analysis needs to be performed to determine the appropriate set of controls for the risks. Several formal models have also been proposed for estimating the economic impact of security breaches (Bodin, Gordon, & Loeb, 2005; Gordon & Loeb, 2002; Butler, 2002; Meadows, 2001; Schechter, 2005; Cerullo & Shelton, 1981; Cavusoglu, Mishra, & Raghunathan, 2004); however, the problem of information security risk analysis remains difficult. Not all organizations are the same and each has different assets, vulnerabilities, and threats, ultimately leading to dissimilar security requirements. For instance, a college may have very different needs than a large defense contractor where information is export-sensitive and proprietary. Similarly, an Internet-based business whose primary revenue stream is generated through the network has a greater need to protect itself from Denial-of-Service attacks than a manufacturer that uses a website primarily for disseminating information to employees and customers. Instead of basing controls on generic checklists and guidelines, controls should be customized to the specific assets, vulnerabilities, and threats of the organization through information security risk analysis. In order to increase the adoption of risk analysis practices in organizations and facilitate rationalization of the data, the process needs to be streamlined and made transparent. An innovative methodology is required that is operational in the dynamic security environment and defensible based on rigorous mathematical analysis. This work attempts to address this problem by proposing an approach to quantitative risk analysis.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 32: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 31: 4 Issues (2018): 3 Released, 1 Forthcoming
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing