Abstract
Risk assessment (RA) belongs to the core parts of an organizational risk management process. The primary goals of a RA are the identification, estimation and prioritization of risk(s) to organizational operations. The existing quantitative analysis of RA is focusing on the risk factors, that is, threat or vulnerability. However, the quantitative metrics of the assessment have not been formally defined and modeled yet. Consequently, it is essential to define a formal model and relevant security metrics for RA within an organization. In this study, we will use a complete lattice to analyze risk factors. Moreover, a formal model will be defined to describe the RA process. The reachability of the model will be discussed. Quantitative metrics will be defined to provide insight on the risk estimation. The model can be expressed using colored Petri nets. This study can assist chief information security officers analyze security risks in their organizations and help them balance the security budget in their organizations.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
