Towards Validating Risk Indicators Based on Measurement Theory

A. Morali, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    29 Downloads (Pure)

    Abstract

    Due to the lack of quantitative information and for cost-efficiency purpose, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk scales by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk scales that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of measurement theory to risk indicators, we analyze the indicators used by a particular risk assessment method specially developed for assessing confidentiality risks in networks of organizations.
    Original languageUndefined
    Title of host publicationISSRE 2010 Supplemental Proceedings: 1st International Workshop on Risk and Trust in Extended Enterprises
    Place of PublicationUSA
    PublisherIEEE Computer Society
    Pages443-447
    Number of pages5
    ISBN (Print)978-0-7695-4255-3
    Publication statusPublished - 8 Oct 2010

    Publication series

    Name
    PublisherIEEE Computer Society
    ISSN (Print)1574-0846
    ISSN (Electronic)0929-0672

    Keywords

    • IR-73509
    • METIS-271059
    • Measurement
    • SCS-Services
    • RISK ASSESSMENT
    • Security
    • EWI-18558

    Cite this

    Morali, A., & Wieringa, R. J. (2010). Towards Validating Risk Indicators Based on Measurement Theory. In ISSRE 2010 Supplemental Proceedings: 1st International Workshop on Risk and Trust in Extended Enterprises (pp. 443-447). USA: IEEE Computer Society.