Addressing the need for independence in the CSE model

Information system security risk, defined as the product of the monetary losses associated with security incidents and the probability that they occur, is a suitable decision criterion when considering different information system architectures. Risk assessment is the widely accepted process used to...

Full description

Saved in:
Bibliographic Details
Main Authors: Abercrombie, R. K., Ferragut, E. M., Sheldon, F. T., Grimaila, M. R.
Format: Conference Proceeding
Language:English
Subjects:
Algorithms
Computer architecture
Computer security
Cybersecurity Metrics
Cyberspace
Econometrics
Information Assurance Controls
Information security
Mitigation Costs
Risk Analysis
Risk management
Stakeholder Value
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Information system security risk, defined as the product of the monetary losses associated with security incidents and the probability that they occur, is a suitable decision criterion when considering different information system architectures. Risk assessment is the widely accepted process used to understand, quantify, and document the effects of undesirable events on organizational objectives so that risk management, continuity of operations planning, and contingency planning can be performed. One technique, the Cyberspace Security Econometrics System (CSES), is a methodology for estimating security costs to stakeholders as a function of possible risk postures. In earlier works, we presented a computational infrastructure that allows an analyst to estimate the security of a system in terms of the loss that each stakeholder stands to sustain, as a result of security breakdowns. Additional work has applied CSES to specific business cases. The current state-of-the-art of CSES addresses independent events. In typical usage, analysts create matrices that capture their expert opinion, and then use those matrices to quantify costs to stakeholders. This expansion generalizes CSES to the common real-world case where events may be dependent.
DOI:10.1109/CICYBS.2011.5949395