EEMCS

Home > Publications
Home University of Twente
Education
Research
Prospective Students
Jobs
Publications
Intranet (internal)
 
 Nederlands
 Contact
 Search
 Organisation

EEMCS EPrints Service


18475 Towards Validating Risk Indicators Based on Measurement Theory (Extended version)
Home Policy Brochure Browse Search User Area Contact Help

Morali, A. and Wieringa, R.J. (2010) Towards Validating Risk Indicators Based on Measurement Theory (Extended version). Technical Report TR-CTIT-10-31, Centre for Telematics and Information Technology University of Twente, Enschede. ISSN 1381-3625

Full text available as:

PDF
- Univ. of Twente only
106 Kb
Exported to Metis

Abstract

Due to the lack of quantitative information and for cost-efficiency, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk indicators by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. For instance, in an extended enterprise this may mean over investing in service level agreements or obtaining a contract that provides a lower security level than the system requires. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk indicators that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of the measurement theory to risk indicators, we analyze the indicators used by a risk assessment method specially developed for assessing confidentiality risks in networks of organizations.

Item Type:Internal Report (Technical Report)
Research Group:EWI-DIES: Distributed and Embedded Security, EWI-IS: Information Systems
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:VRIEND: Value-Based Security Risk Mitigation in Enterprise Networks that are Decentralized
Uncontrolled Keywords:security; risk assessment; measurement
ID Code:18475
Deposited On:24 September 2010
More Information:statisticsmetis

Export this item as:

To request a copy of the PDF please email us request copy

To correct this item please ask your editor

Repository Staff Only: edit this item