This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
security_economics [2018/11/26 00:34] fabio.massacci@unitn.it [Beyond 1-5 Risk Matrices: quantitative likelihood] |
security_economics [2018/11/26 00:37] fabio.massacci@unitn.it [Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data] |
||
---|---|---|---|
Line 22: | Line 22: | ||
* //Risk = Impact · Likelihood// | * //Risk = Impact · Likelihood// | ||
- | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. Table III reports a simple example of a 3x3 risk matrix, where the interaction between the rare, frequent, certain likelihood levels and the minor, severe, critical consequence levels, results in a final 3-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | + | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. |
+ | In our {{:sp18.pdf|Risk Analysis paper}}. | ||
+ | |||
+ | * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}} | ||
==== Cyber-Insurance: good for your company, bad for your country? ==== | ==== Cyber-Insurance: good for your company, bad for your country? ==== |