This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
security_economics [2018/11/26 00:28] fabio.massacci@unitn.it |
security_economics [2018/11/26 00:34] fabio.massacci@unitn.it [Beyond 1-5 Risk Matrices: quantitative likelihood] |
||
---|---|---|---|
Line 16: | Line 16: | ||
See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
- | ==== Beyond 1-5 Risk Matrices: quantitative likelihood === | + | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === |
+ | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, etc.) but at the end of the day they all ultimately collapse to the intuitive relation | ||
+ | |||
+ | * //Risk = Impact · Likelihood// | ||
+ | |||
+ | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. Table III reports a simple example of a 3x3 risk matrix, where the interaction between the rare, frequent, certain likelihood levels and the minor, severe, critical consequence levels, results in a final 3-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | ||