Abstract

Ideally, decisions concerning investments of scarce resources in new or additional procedures and technologies that are expected to enhance information security will be informed by quantitative analyses. But security is notoriously hard to quantify, since absence of activity challenges us to establish whether lack of successful attacks is the result of good security or merely due to good luck. However, viewing security as the inverse of risk enables us to use computations of expected loss to develop a quantitative approach to measuring gains in security by measuring decreases in risk. In using such an approach, making decisions concerning investments in information security requires calculation of net benefits expected to result from the investment. Unfortunately, little data are available upon which to base an estimate of the probabilities required for developing the expected losses. This paper develops a mathematical approach to risk management based on Kaplan–Meier and Nelson–Aalen non-parametric estimators of the probability distributions needed for using the resulting quantitative risk management tools. Differences between the integrals of these estimators evaluated for enhanced and control groups of systems in an information infrastructure provide a metric for measuring increased security. When combined with an appropriate value function, the expected losses can be calculated and investments evaluated quantitatively in terms of actual enhancements to security.

Full Text
Paper version not known

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
Expanding the Gordon-Loeb model to cyber-insurance
Henry R.K Skeoch
Computers & Security | VOL. 112
Henry R.K SkeochHenry R.K Skeoch
08 Nov 2021
How does overconfidence affect information security investment and information security performance?
Kunxiang Dong ... Zongxiao Xie
Enterprise Information Systems | VOL. 15
Kunxiang Dong, et. al.Kunxiang Dong ... Zongxiao Xie
19 Jul 2019
Information Security Decisions of Enterprises in the Context of Digital Transformation
Leng Jie ... Qi Xin
-
Leng Jie, et. al.Leng Jie ... Qi Xin
21 Oct 2022
Basics of computer modeling of economic evaluation of investments in information security
V N Solyanoy
Informacionno-technologicheskij vestnik | VOL. 13
V N SolyanoyV N Solyanoy
30 Sep 2017
View more papers

More From: Computers & Security

Paper Title
Journal
Date
Author
A survey on privacy and security issues in IoT-based environments: Technologies, protection measures and future directions
Panjun Sun ... Qi Li
Computers & Security | VOL. 148
Panjun Sun, et. al.Panjun Sun ... Qi Li
14 Sep 2024
Practically implementing an LLM-supported collaborative vulnerability remediation process: A team-based approach
Xiaoqing Wang ... Bin Liang
Computers & Security | VOL. 148
Xiaoqing Wang, et. al.Xiaoqing Wang ... Bin Liang
14 Sep 2024
An enhanced Deep-Learning empowered Threat-Hunting Framework for software-defined Internet of Things
Prabhat Kumar ... A.K.M Najmul Islam
Computers & Security | VOL. 148
Prabhat Kumar, et. al.Prabhat Kumar ... A.K.M Najmul Islam
13 Sep 2024
ReckDroid: Detecting red packet fraud in Android apps
Yu Cheng ... Yumeng Wang
Computers & Security | VOL. 148
Yu Cheng, et. al.Yu Cheng ... Yumeng Wang
12 Sep 2024
View more papers

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.