User Tools
security_economics
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
security_economics [2018/11/26 00:28] fabio.massacci@unitn.it |
security_economics [2018/11/26 00:37] fabio.massacci@unitn.it [Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data] |
||
|---|---|---|---|
| Line 16: | Line 16: | ||
| See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
| - | ==== Beyond 1-5 Risk Matrices: quantitative likelihood === | + | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === |
| + | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, etc.) but at the end of the day they all ultimately collapse to the intuitive relation | ||
| + | * //Risk = Impact · Likelihood// | ||
| + | |||
| + | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | ||
| + | |||
| + | In our {{:sp18.pdf|Risk Analysis paper}}. | ||
| + | |||
| + | * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}} | ||
| ==== Cyber-Insurance: good for your company, bad for your country? ==== | ==== Cyber-Insurance: good for your company, bad for your country? ==== | ||
security_economics.txt · Last modified: 2021/01/29 10:58 (external edit)
Page Tools
