Improvement of Verification of a Model Supporting Decision-Making on Information Security Risk Treatment by Using Statistical Data

Abstract

This paper introduces previous studies that propose a model supporting decision-making on information security risk treatment by the top management of an organization and its assessment using statistical data. The reason that statistical data are used to assess the model is that the data necessary for information security risk treatment are not generally disclosed for security reasons. A verification using actual data is generally difficult. This paper therefore proposes improvements to the assessment of the model using statistical data. A method to calculate the values used in the model, closer to the actual data is proposed to have more effective results by the model.