Reconciling Malicious and Accidental Risk in Cyber Security

Wolter Pieters, Zofia Lukszo, D. Hadziosmanovic, Jan van den Berg

    Research output: Contribution to journalArticleAcademicpeer-review

    235 Downloads (Pure)


    Consider the question whether a cyber security investment is cost-effective. The result will depend on the expected frequency of attacks. Contrary to what is referred to as threat event frequencies or hazard rates in safety risk management, frequencies of targeted attacks are not independent from system design, due to the strategic behaviour of attackers. Although there are risk assessment methods that deal with strategic attackers, these do not provide expected frequencies as outputs, making it impossible to integrate those in existing (safety) risk management practices. To overcome this problem, we propose to extend the FAIR (Factor Analysis of Information Risk) framework to support malicious, targeted attacks. Our approach is based on (1) a clear separation of system vulnerability and environmental threat event frequencies, and (2) deriving threat event frequencies from attacker resources and attacker strategies rather than estimating them directly, drawing upon work in adversarial risk analysis. This approach constitutes an innovative way to quantify expected attack frequencies as a component of (information) security metrics for investment decisions.
    Original languageUndefined
    Pages (from-to)4-26
    Number of pages23
    JournalJournal of internet services and information security
    Issue number2
    Publication statusPublished - May 2014


    • EWI-24739
    • SCS-Cybersecurity
    • Security Metrics
    • IR-91396
    • threat event frequency
    • Adversarial risk analysis
    • METIS-305881
    • factor analysis of information risk

    Cite this