Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security

Wangen, Gaute; Shalaginov, Andrii

doi:10.1007/978-3-319-31811-0_8

Gaute Wangen¹⁵ &
Andrii Shalaginov¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 9572))

Included in the following conference series:

International Conference on Risks and Security of Internet and Systems

1117 Accesses
1 Citations

Abstract

Achieving the quantitative risk assessment has long been an elusive problem in information security, where the subjective and qualitative assessments dominate. This paper discusses the appropriateness of statistical and quantitative methods for information security risk management. Through case studies, we discuss different types of risks in terms of quantitative risk assessment, grappling with how to obtain distributions of both probability and consequence for the risks. N.N. Taleb’s concepts of the Black Swan and the Four Quadrants provides the foundation for our approach and classification. We apply these concepts to determine where it is appropriate to apply quantitative methods, and where we should exert caution in our predictions. Our primary contribution is a treatise on different types of risk calculations, and a classification of information security threats within the Four Quadrants.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
In comparison to the Normal distribution a Fat-tailed distribution exhibits large skewness or kurtosis.
2.
http://www.ats.ucla.edu/stat/stata/whatstat/whatstat.htm.
3.
Conficker was initially a computer worm, but when the payload was uploaded post-infection, it turned out as a Botnet.
4.
Gameover Zeus. https://goz.shadowserver.org/stats/.
5.
See also http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker.

References

Armstrong, J.S.: Long-Range Forecasting: From Crystal Ball to Computer. Wiley, New York (1978)
Google Scholar
Audestad, J.: E-Bombs and E-Grenades: The Vulnerability of the Computerized Society. Gjovik University College (2009)
Google Scholar
Aven, T.: Misconceptions of Risk. Wiley, New York (2011)
MATH Google Scholar
Geyer, C.J.: Stat 5102 notes: More on confidence intervals. http://www.stat.umn.edu/geyer/old03/5102/notes/ci.pdf. Accessed 07 April 2015
Dey, A.K., Kundu, D.: Discriminating between the log-normal and log-logistic distributions. Commun. Stat. Theory Meth. 39(2), 280–292 (2009)
Article MathSciNet MATH Google Scholar
Ghahramani, Z.: Probabilistic modelling, machine learning, and the information revolution. In: Presentation at MIT CSAIL (2012)
Google Scholar
Hole, K.J.: Management of hidden risks. Computer 46(1), 65–70 (2013)
Article MathSciNet Google Scholar
Hole, K.J., Netland, L.-H.: Toward risk assessment of large-impact and rare events. IEEE Secur. Priv. 8(3), 21–27 (2010)
Article Google Scholar
Kahneman, D.: Thinking, Fast and Slow. Macmillan, New York (2011)
Google Scholar
Milkman, K.L., Chugh, D., Bazerman, M.H.: How can decision making be improved? Perspect. Psychol. Sci. 4(4), 379–383 (2009)
Article Google Scholar
Lewis, J.A.: Assessing the risks of cyber terrorism, cyber war and other cyber threats. Technical report, Center for strategic & internation studies (2002)
Google Scholar
Taleb, N.N.: Errors, robustness, and the fourth quadrant. Int. J. Forecast. 25(4), 744–759 (2009)
Article Google Scholar
Taleb, N.N.: The Black Swan: The Impact of the Highly Improbable, 2nd edn. Random House LLC, New York (2010)
Google Scholar
Wangen, G., Snekkenes, E.: A taxonomy of challenges in information security risk management. In: Proceeding of Norwegian Information Security Conference/Norsk informasjonssikkerhetskonferanse - NISK - Stavanger, vol. 2013. Akademika forlag (2013)
Google Scholar
Shui, Y., Guofei, G., Barnawi, A., Guo, S., Stojmenovic, I.: Malware propagation in large-scale networks. IEEE Trans. Knowl. Data Eng. 1, 170–179 (2015)
Google Scholar

Download references

Acknowledgments

The authors acknowledge Professors Jan Arild Audestad, Einar Snekkenes and Katrin Franke, and the data contributions made by the Shadowserver Foundation. The authors also recognize the sponsorship from COINS Research School for information security.

Author information

Authors and Affiliations

NISlab, Norwegian Information Security Laboratory, Center for Cyber and Information Security, Gjøvik University College, Gjøvik, Norway
Gaute Wangen & Andrii Shalaginov

Authors

Gaute Wangen
View author publications
You can also search for this author in PubMed Google Scholar
Andrii Shalaginov
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gaute Wangen .

Editor information

Editors and Affiliations

University of Piraeus, Piraeus, Greece
Costas Lambrinoudakis
Université de la Polynésie Française, Faa'a, French Polynesia
Alban Gabillon

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wangen, G., Shalaginov, A. (2016). Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security. In: Lambrinoudakis, C., Gabillon, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2015. Lecture Notes in Computer Science(), vol 9572. Springer, Cham. https://doi.org/10.1007/978-3-319-31811-0_8

Download citation

DOI: https://doi.org/10.1007/978-3-319-31811-0_8
Published: 02 April 2016
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31810-3
Online ISBN: 978-3-319-31811-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics