Combining Disparate Information Sources when Quantifying Security Risks

Managing risk involves making decision on which risks to treat, what treatment to use and how to finance the treatment. Decision-makers need quantitative values to be able to optimize their investment and to effectively distribute the resources available. Since security attacks are future events we have limited amount of information sources for estimation. In order to quantify frequency of occurrence, impact of incident and effect of alternative treatment options we need to combine empirical and subjective data to obtain a reasonable amount of data. In this paper we present an approach for quantifying security risks using empirical data, such as experience from similar incidents, and subjective data, such as experience and knowledge of domain experts. We look at four different approaches to combine empirical and subjective data by discussing the result from an experiment conducted with undergraduate students at NTNU, Norway. The overall focus of the approaches is on providing support for a cost-benefit analysis for trade-off between risk cost and treatment effect by maximizing the effect of the available resources. However, the main focus of this paper is on studying the effect of using empirical data as input into subjective expert judgments.