Abstract
In this paper, the authors present a quantitative model for estimating security risk exposure for a firm. The model includes a formulation for the optimization of controls as well as determining sensitivity of the exposure of assets to different threats. The model uses a series of matrices to organize the data as groups of assets, vulnerabilities, threats, and controls. The matrices are then linked such that data is aggregated in each matrix and cascaded across the other matrices. The computations are reversible and transparent allowing analysts to answer what-if questions on the data. The exposure formulation is based on the Annualized Loss Expectancy (ALE) model, and uncertainties in the data are captured via Monte Carlo simulation. A mock case study based on a government agency is used to illustrate this methodology.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
