Simple probability theory is not a good basis for security in the case of high-stakes information resources where these resources are subject to attacks upon national infrastructure or to battle space illumination. Probability theory induces us to believe that one cannot totally rule out all probabilities of an intrusion. An alternative theoretical base is possibility theory. While persistent, well-supported, and highly professional intrusion attacks will have a higher probability of success, operating instead against the possibility of intrusion places defenders in a theoretical framework more suitable for high-stakes protection. The purpose of this paper is to introduce an alternative quantitative approach to information security evaluation that is suitable for information resources that are potential targets of intensive professional attacks. This approach operates from the recognition that information resource security is only an opinion of officials responsible for security.
Read full abstract