Advanced search
1 file | 400.13 KB

How much matter probabilities in information security quantitative risk assessment?

Author
Organization
Abstract
The starting point of this research essay is a critical review of two methods to conduct a quantitative analysis of information systems security risks: 1) Management of Risk: Guidance for Practitioners and 2) a cost model based on annual loss expectancy. We are focusing on these methods with a perspective that highlights the limits of both empiricism and the theoretical elements that underlie them. From an epistemological point of view we have considered the logical syntax of the two models, the semantics included in statements and the pragmatics of the scientific discourse: the use of models to demonstrate the risk assessment thesis, to solve the problems of risks in the human judgment versus mathematical calculus controversy. The major issues that we are discussing in this article imply various perspectives on scientific criteria, the choice among various theories and the structuring of problems proposed to be solved. We argue that the models that have been developed so far, the top-down approach (which involves well defined and well understood rules), as well as the demonstrations based on the induction method, cannot be applied in a lot of scenarios, because information systems, considered as a complex whole made up of various components, is primarily not a positivistic science solely described by mathematics. The main research question to be answered in this paper is: What are the limits of knowledge in probabilistic computations for information systems security risk assessment? Our purpose is to demonstrate the epistemological limits of the two models and the error of generalizing probability calculus using the interpretive approach.
Keywords
time, SYSTEMS RESEARCH, cause, space, epistemology, quantitative risk assessment, probabilities, empiricism, TACIT KNOWLEDGE, MANAGEMENT

Downloads

  • (...).pdf
    • full text
    • |
    • UGent only
    • |
    • PDF
    • |
    • 400.13 KB

Citation

Please use this url to cite or link to this publication:

Chicago
Devos, Jan, and Adrian Monteanu. 2013. “How Much Matter Probabilities in Information Security Quantitative Risk Assessment?” In CREATING GLOBAL COMPETITIVE ECONOMIES: 2020 VISION PLANNING & IMPLEMENTATION, VOLS 1-3, 45–57. IBIMA Publishing.
APA
Devos, Jan, & Monteanu, A. (2013). How much matter probabilities in information security quantitative risk assessment? CREATING GLOBAL COMPETITIVE ECONOMIES: 2020 VISION PLANNING & IMPLEMENTATION, VOLS 1-3 (pp. 45–57). Presented at the 22nd International-Business-Information-Management-Association Conference on Creating Global Competitive Economies: 2020 Vision Planning and Implementation, IBIMA Publishing.
Vancouver
1.
Devos J, Monteanu A. How much matter probabilities in information security quantitative risk assessment? CREATING GLOBAL COMPETITIVE ECONOMIES: 2020 VISION PLANNING & IMPLEMENTATION, VOLS 1-3. IBIMA Publishing; 2013. p. 45–57.
MLA
Devos, Jan, and Adrian Monteanu. “How Much Matter Probabilities in Information Security Quantitative Risk Assessment?” CREATING GLOBAL COMPETITIVE ECONOMIES: 2020 VISION PLANNING & IMPLEMENTATION, VOLS 1-3. IBIMA Publishing, 2013. 45–57. Print.
@inproceedings{4131478,
  abstract     = {The starting point of this research essay is a critical review of two methods to conduct a quantitative analysis of information systems security risks: 1) Management of Risk: Guidance for Practitioners and 2) a cost model based on annual loss expectancy. We are focusing on these methods with a perspective that highlights the limits of both empiricism and the theoretical elements that underlie them. 

From an epistemological point of view we have considered the logical syntax of the two models, the semantics included in statements and the pragmatics of the scientific discourse: the use of models to demonstrate the risk assessment thesis, to solve the problems of risks in the human judgment versus mathematical calculus controversy. 

The major issues that we are discussing in this article imply various perspectives on scientific criteria, the choice among various theories and the structuring of problems proposed to be solved. We argue that the models that have been developed so far, the top-down approach (which involves well defined and well understood rules), as well as the demonstrations based on the induction method, cannot be applied in a lot of scenarios, because information systems, considered as a complex whole made up of various components, is primarily not a positivistic science solely described by mathematics. The main research question to be answered in this paper is: What are the limits of knowledge in probabilistic computations for information systems security risk assessment? Our purpose is to demonstrate the epistemological limits of the two models and the error of generalizing probability calculus using the interpretive approach.},
  author       = {Devos, Jan and Monteanu, Adrian },
  booktitle    = {CREATING GLOBAL COMPETITIVE ECONOMIES: 2020 VISION PLANNING & IMPLEMENTATION, VOLS 1-3},
  isbn         = {9780986041914},
  keywords     = {time,SYSTEMS RESEARCH,cause,space,epistemology,quantitative risk assessment,probabilities,empiricism,TACIT KNOWLEDGE,MANAGEMENT},
  language     = {eng},
  location     = {Rome, Italy},
  pages        = {45--57},
  publisher    = {IBIMA Publishing},
  title        = {How much matter probabilities in information security quantitative risk assessment?},
  year         = {2013},
}

Web of Science
Times cited: