A New Approach for Information Security Risk Assessment: Value at Risk
10 Pages Posted: 9 Mar 2008
Date Written: May 1, 2005
Abstract
Most of the tools that are used for Information Security (ISEC) risk assessment are qualitative and are not grounded in theory. This paper presents and applies a well-known financial risk theory, Value at Risk (VaR), to the ISEC risk assessment. VaR in its most succinct form is defined as a figure that relates the amount of potential loss in a given portfolio to its probability, and describes the quantile of the projected distribution of losses over a given time period. From the ISEC perspective, VaR summarizes the worst loss due to a security breach over a target horizon, with a given level of confidence. Using this quantitative measure of risk, the best possible balance between risk and cost of providing security to mitigate the risk can be achieved.
Keywords: information security, risk assesment, value at risk
Suggested Citation: Suggested Citation