A Move in the Security Measurement Stalemate: Elo-Style Ratings to Quantify Vulnerability

Wolter Pieters, Sanne H.G. van der Ven, Christian W. Probst

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    12 Citations (Scopus)
    358 Downloads (Pure)


    One of the big problems of risk assessment in information security is the quantification of risk-related properties, such as vulnerability. Vulnerability expresses the likelihood that a threat agent acting against an asset will cause impact, for example, the likelihood that an attacker will be able to crack a password or break into a system. This likelihood depends on the capabilities of the threat agent and the strength of the controls in place. In this paper, we provide a framework for estimating these three variables based on the Elo rating used for chess players. This framework re-interprets security from the field of Item Response Theory. By observing the success of threat agents against assets, one can rate the strength of threats and controls, and predict the vulnerability of systems to particular threats. The application of Item Response Theory to the field of risk is new, but analogous to its application to children solving math problems. It provides an innovative and sound way to quantify vulnerability in models of (information) security.
    Original languageEnglish
    Title of host publicationProceedings of the 2012 Workshop on New security paradigms (NSPW 2012)
    Place of PublicationNew York, NY
    PublisherAssociation for Computing Machinery (ACM)
    Number of pages14
    ISBN (Print)978-1-4503-1794-8
    Publication statusPublished - 18 Sep 2012
    Event2012 New Security Paradigms Workshop, NSPW 2012 - Bertinoro, Italy
    Duration: 18 Sep 201221 Sep 2012


    Workshop2012 New Security Paradigms Workshop, NSPW 2012
    Abbreviated titleNSPW


    • SCS-Cybersecurity
    • Control strength
    • Vulnerability
    • Item Response Theory
    • Security Metrics
    • Threat capability
    • rating systems
    • Elo


    Dive into the research topics of 'A Move in the Security Measurement Stalemate: Elo-Style Ratings to Quantify Vulnerability'. Together they form a unique fingerprint.

    Cite this