The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Value at Risk: A methodology for Information Security Risk Assessment

Download

Download PDF Document
PDF

Author

J Rees, J Jaisingh

Tech report number

CERIAS TR 2001-127

Entry type

proceedings

Abstract

This paper presents Value at Risk (VAR), a new methodology for Information Security Risk Assessment. VAR summarizes the worst loss due to a security breach over a target horizon, with a given level of confidence. More formally, VAR describes the quantile of the projected distribution of losses over a given time period. Most of the tools that are used for ISEC risk assessment are qualitative in nature and are not grounded in theory. VAR is a useful tool in the hands of an ISEC expert as it provides a theoretically based, quantitative measure of information security risk. Using this measure of risk, the best possible balance between risk and cost of providing security can be achieved. Most organizations, especially those heavily invested in eBusiness, already have determined the acceptable level of risk. The dollar amount of this risk is then computed. When the total VAR of an organization exceeds this amount, the organization is alerted to the fact that an increased security investment is required.

Download

PDF

Date

2001 – 11

URL

http://www.gloriamundi.org/picsresources/jjjr.pdf

Key alpha

Rees

Note

Proceedings from the INFORMS Conference on Information Systems and Technology 2001, Miami, FL

Publication Date

2001-11-00

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.