Abstract
Achieving the quantitative risk assessment has long been an elusive problem in information security, where the subjective and qualitative assessments dominate. This paper discusses the appropriateness of statistical and quantitative methods for information security risk management. Through case studies, we discuss different types of risks in terms of quantitative risk assessment, grappling with how to obtain distributions of both probability and consequence for the risks. N.N. Taleb’s concepts of the Black Swan and the Four Quadrants provides the foundation for our approach and classification. We apply these concepts to determine where it is appropriate to apply quantitative methods, and where we should exert caution in our predictions. Our primary contribution is a treatise on different types of risk calculations, and a classification of information security threats within the Four Quadrants.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In comparison to the Normal distribution a Fat-tailed distribution exhibits large skewness or kurtosis.
- 2.
- 3.
Conficker was initially a computer worm, but when the payload was uploaded post-infection, it turned out as a Botnet.
- 4.
Gameover Zeus. https://goz.shadowserver.org/stats/.
- 5.
References
Armstrong, J.S.: Long-Range Forecasting: From Crystal Ball to Computer. Wiley, New York (1978)
Audestad, J.: E-Bombs and E-Grenades: The Vulnerability of the Computerized Society. Gjovik University College (2009)
Aven, T.: Misconceptions of Risk. Wiley, New York (2011)
Geyer, C.J.: Stat 5102 notes: More on confidence intervals. http://www.stat.umn.edu/geyer/old03/5102/notes/ci.pdf. Accessed 07 April 2015
Dey, A.K., Kundu, D.: Discriminating between the log-normal and log-logistic distributions. Commun. Stat. Theory Meth. 39(2), 280–292 (2009)
Ghahramani, Z.: Probabilistic modelling, machine learning, and the information revolution. In: Presentation at MIT CSAIL (2012)
Hole, K.J.: Management of hidden risks. Computer 46(1), 65–70 (2013)
Hole, K.J., Netland, L.-H.: Toward risk assessment of large-impact and rare events. IEEE Secur. Priv. 8(3), 21–27 (2010)
Kahneman, D.: Thinking, Fast and Slow. Macmillan, New York (2011)
Milkman, K.L., Chugh, D., Bazerman, M.H.: How can decision making be improved? Perspect. Psychol. Sci. 4(4), 379–383 (2009)
Lewis, J.A.: Assessing the risks of cyber terrorism, cyber war and other cyber threats. Technical report, Center for strategic & internation studies (2002)
Taleb, N.N.: Errors, robustness, and the fourth quadrant. Int. J. Forecast. 25(4), 744–759 (2009)
Taleb, N.N.: The Black Swan: The Impact of the Highly Improbable, 2nd edn. Random House LLC, New York (2010)
Wangen, G., Snekkenes, E.: A taxonomy of challenges in information security risk management. In: Proceeding of Norwegian Information Security Conference/Norsk informasjonssikkerhetskonferanse - NISK - Stavanger, vol. 2013. Akademika forlag (2013)
Shui, Y., Guofei, G., Barnawi, A., Guo, S., Stojmenovic, I.: Malware propagation in large-scale networks. IEEE Trans. Knowl. Data Eng. 1, 170–179 (2015)
Acknowledgments
The authors acknowledge Professors Jan Arild Audestad, Einar Snekkenes and Katrin Franke, and the data contributions made by the Shadowserver Foundation. The authors also recognize the sponsorship from COINS Research School for information security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Wangen, G., Shalaginov, A. (2016). Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security. In: Lambrinoudakis, C., Gabillon, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2015. Lecture Notes in Computer Science(), vol 9572. Springer, Cham. https://doi.org/10.1007/978-3-319-31811-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-31811-0_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31810-3
Online ISBN: 978-3-319-31811-0
eBook Packages: Computer ScienceComputer Science (R0)