A New Approach for Information Security Risk Assessment: Value at Risk

Ozcelik, Yasin; Rees, Jackie

doi:10.2139/ssrn.1104264

Download This Paper

Open PDF in Browser

Add Paper to My Library

A New Approach for Information Security Risk Assessment: Value at Risk

10 Pages Posted: 9 Mar 2008

See all articles by Yasin Ozcelik

Jackie Rees

Purdue University - Department of Management

Date Written: May 1, 2005

Abstract

Most of the tools that are used for Information Security (ISEC) risk assessment are qualitative and are not grounded in theory. This paper presents and applies a well-known financial risk theory, Value at Risk (VaR), to the ISEC risk assessment. VaR in its most succinct form is defined as a figure that relates the amount of potential loss in a given portfolio to its probability, and describes the quantile of the projected distribution of losses over a given time period. From the ISEC perspective, VaR summarizes the worst loss due to a security breach over a target horizon, with a given level of confidence. Using this quantitative measure of risk, the best possible balance between risk and cost of providing security to mitigate the risk can be achieved.

Keywords: information security, risk assesment, value at risk

Suggested Citation: Suggested Citation

Ozcelik, Yasin and Rees, Jackie, A New Approach for Information Security Risk Assessment: Value at Risk (May 1, 2005). Available at SSRN: https://ssrn.com/abstract=1104264 or http://dx.doi.org/10.2139/ssrn.1104264