Information Security Risk Modeling Using Bayesian Index

Abstract

The goal of this study lies in the construction and evaluation of a Bayesian index for measuring enterprises’ information security (IS) risk. By integrating IS experts’ judgments, we constructed a quantitative Bayesian index model for the assessment of enterprises’ IS risk. The risk assessment of enterprises’ IS makes enterprises aware of their IS risk and enables them to make better decisions to reduce that risk. Through the Delphi method and in-depth interviews with domain experts, the risk factors of IS were grouped into five categories with a total of 29 risk items. The first five key indicators are as follows: (i) top management support; (ii) the impediment and detection of the attack by worms, viruses and spyware programs; (iii) the protective measure and technique against the known hacker's attack; (iv) system access privilege control password, gold key management and (v) the IS equipment/software meets the requirement. Finally, the model was cross validated with enterprises that have implemented International Organization for Standardization/International Electro-technical Commission 27001. The study demonstrated that a subjective Bayesian model can be used to develop a reliable index for measuring IS risk, with potential for practical application in the management of the IS risk.