Abstract
This paper presents Value at Risk (VAR), a new methodology for Information Security Risk Assessment. VAR summarizes the worst loss due to a security breach over a target horizon,
with a given level of confidence. More formally, VAR describes the quantile of the projected
distribution of losses over a given time period. Most of the tools that are used for ISEC risk assessment are qualitative in nature and are not grounded in theory. VAR is a useful tool in the hands of an ISEC expert as it provides a theoretically based, quantitative measure of information
security risk. Using this measure of risk, the best possible balance between risk and cost of
providing security can be achieved. Most organizations, especially those heavily invested in eBusiness, already have determined the acceptable level of risk. The dollar amount of this risk is then computed. When the total VAR of an organization exceeds this amount, the organization is
alerted to the fact that an increased security investment is required.