Running the risk IT – more perception and less probabilities in uncertain systems
Abstract
Purpose
This study aims to argue that in the case of quantitative security risk assessment, individuals do not estimate probabilities as a likelihood measure of event occurrence.
Design/methodology/approach
The study uses the most commonly used quantitative assessment approach, the annualized loss expectancy (ALE), to support the three research hypotheses.
Findings
The estimated probabilities used in quantitative models are subjective.
Research limitations/implications
The ALE model used in security risk assessment, although it is presented in the literature as quantitative, is, in fact, qualitative being influenced by bias.
Practical implications
The study provides a factual basis showing that quantitative assessment is neither realistic nor practical to the real world.
Originality/value
A model that cannot be tested experimentally is not a scientific model. In fact, the probability used in ISRM is an empirical probability or estimator of a probability because it estimates probabilities from experience and observation.
Keywords
Citation
Munteanu, A. (2017), "Running the risk IT – more perception and less probabilities in uncertain systems", Information and Computer Security, Vol. 25 No. 3, pp. 345-354. https://doi.org/10.1108/ICS-07-2016-0055
Publisher
:Emerald Publishing Limited
Copyright © 2017, Emerald Publishing Limited