The Information Security Risk Estimation Engine: A Tool for Possibility Based Risk Assessment

Abstract

Risk analysis methods help evaluate the costs of information security controls in relation to their benefits. Despite dramatic changes in the constellation of information security risks, the basic approach to these risk calculation methods remains unchanged. The fundamental mathematics underlying these methods is anchored to probability theory. Probability has the advantage of being widely known and conceptually simple. But it has a disadvantage in its grounding on expert estimates of frequency data because such data is often publicly unavailable. This paper proposes the use of possibility theory as an alternative grounding for information security risk calculations. Possibility theory assumes the data grounding will be estimations. The estimations include expert evaluations of both possibility and likelihood of risks. Using a design science research approach, we use possibility theory as the kernel theory in developing and evaluating a practical possibility-based risk estimation prototype. The results offer an expanded grounding to improve information security risk analysis through the use of a broader portfolio of distinct methodologies anchored to alternative mathematical theories of evidence.