A New Approach for Information Security Risk Assessment: Value at Risk

10 Pages Posted: 9 Mar 2008

See all articles by Yasin Ozcelik

Yasin Ozcelik

Fairfield University

Jackie Rees

Purdue University - Department of Management

Date Written: May 1, 2005

Abstract

Most of the tools that are used for Information Security (ISEC) risk assessment are qualitative and are not grounded in theory. This paper presents and applies a well-known financial risk theory, Value at Risk (VaR), to the ISEC risk assessment. VaR in its most succinct form is defined as a figure that relates the amount of potential loss in a given portfolio to its probability, and describes the quantile of the projected distribution of losses over a given time period. From the ISEC perspective, VaR summarizes the worst loss due to a security breach over a target horizon, with a given level of confidence. Using this quantitative measure of risk, the best possible balance between risk and cost of providing security to mitigate the risk can be achieved.

Keywords: information security, risk assesment, value at risk

Suggested Citation

Ozcelik, Yasin and Rees, Jackie, A New Approach for Information Security Risk Assessment: Value at Risk (May 1, 2005). Available at SSRN: https://ssrn.com/abstract=1104264 or http://dx.doi.org/10.2139/ssrn.1104264

Yasin Ozcelik (Contact Author)

Fairfield University ( email )

Dolan School of Business
1073 North Benson Road
Fairfield, CT 06824
United States

HOME PAGE: http://www.fairfield.edu

Jackie Rees

Purdue University - Department of Management ( email )

West Lafayette, IN 47907-1310
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
551
Abstract Views
2,722
Rank
105,779
PlumX Metrics