Improving information security risk analysis by including threat-occurrence predictive models

Abstract

Protecting information is a crucial issue in today society, in both work and home environments. Over the years, different tools and technologies have contributed to safeguarding information, including risk analysis methodologies developed to evaluate the risk of threat materialization despite security measures. Traditional risk analysis methodologies base risk computation on, among other parameters, the frequency of occurrence of threats, which is gathered from available historical data. However, as new safeguards are implemented, and vulnerability potential changes, threat frequencies may also change.To take into account the current state of an organization’s system as well as historical data, we propose to substitute past threat frequency by the probability of a threat occurring in the future. To compute this future threat probability, we use regression models, validated by a risk analysis for a Spanish SME based on Magerit (Spanish adaptation of ISO/IEC 27005). The results show that the future probability of each threat can be calculated with accuracy, precision, sensitivity and specificity rates above 70%.Obtaining a more realistic risk estimate (reflecting to the current state of vulnerabilities) is translated into the adoption of better and more efficient safeguards that reduce losses and improve information security in a business.