Towards Validating Risk Indicators Based on Measurement Theory (Extended version)

    Research output: Book/ReportReportProfessional

    15 Downloads (Pure)

    Abstract

    Due to the lack of quantitative information and for cost-efficiency, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk indicators by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. For instance, in an extended enterprise this may mean over investing in service level agreements or obtaining a contract that provides a lower security level than the system requires. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk indicators that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of the measurement theory to risk indicators, we analyze the indicators used by a risk assessment method specially developed for assessing confidentiality risks in networks of organizations.
    Original languageUndefined
    Place of PublicationEnschede
    PublisherCentre for Telematics and Information Technology (CTIT)
    Number of pages6
    Publication statusPublished - Sep 2010

    Publication series

    NameCTIT Technical Report Series
    PublisherCentre for Telematics and Information Technology, University of Twente
    No.TR-CTIT-10-31
    ISSN (Print)1381-3625

    Keywords

    • IR-73270
    • Security
    • Measurement
    • EWI-18475
    • RISK ASSESSMENT
    • METIS-271034
    • SCS-Services

    Cite this

    Morali, A., & Wieringa, R. J. (2010). Towards Validating Risk Indicators Based on Measurement Theory (Extended version). (CTIT Technical Report Series; No. TR-CTIT-10-31). Enschede: Centre for Telematics and Information Technology (CTIT).
    Morali, A. ; Wieringa, Roelf J. / Towards Validating Risk Indicators Based on Measurement Theory (Extended version). Enschede : Centre for Telematics and Information Technology (CTIT), 2010. 6 p. (CTIT Technical Report Series; TR-CTIT-10-31).
    @book{6cc6e167d89d48538b94b3fe5ac4d241,
    title = "Towards Validating Risk Indicators Based on Measurement Theory (Extended version)",
    abstract = "Due to the lack of quantitative information and for cost-efficiency, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk indicators by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. For instance, in an extended enterprise this may mean over investing in service level agreements or obtaining a contract that provides a lower security level than the system requires. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk indicators that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of the measurement theory to risk indicators, we analyze the indicators used by a risk assessment method specially developed for assessing confidentiality risks in networks of organizations.",
    keywords = "IR-73270, Security, Measurement, EWI-18475, RISK ASSESSMENT, METIS-271034, SCS-Services",
    author = "A. Morali and Wieringa, {Roelf J.}",
    year = "2010",
    month = "9",
    language = "Undefined",
    series = "CTIT Technical Report Series",
    publisher = "Centre for Telematics and Information Technology (CTIT)",
    number = "TR-CTIT-10-31",
    address = "Netherlands",

    }

    Morali, A & Wieringa, RJ 2010, Towards Validating Risk Indicators Based on Measurement Theory (Extended version). CTIT Technical Report Series, no. TR-CTIT-10-31, Centre for Telematics and Information Technology (CTIT), Enschede.

    Towards Validating Risk Indicators Based on Measurement Theory (Extended version). / Morali, A.; Wieringa, Roelf J.

    Enschede : Centre for Telematics and Information Technology (CTIT), 2010. 6 p. (CTIT Technical Report Series; No. TR-CTIT-10-31).

    Research output: Book/ReportReportProfessional

    TY - BOOK

    T1 - Towards Validating Risk Indicators Based on Measurement Theory (Extended version)

    AU - Morali, A.

    AU - Wieringa, Roelf J.

    PY - 2010/9

    Y1 - 2010/9

    N2 - Due to the lack of quantitative information and for cost-efficiency, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk indicators by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. For instance, in an extended enterprise this may mean over investing in service level agreements or obtaining a contract that provides a lower security level than the system requires. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk indicators that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of the measurement theory to risk indicators, we analyze the indicators used by a risk assessment method specially developed for assessing confidentiality risks in networks of organizations.

    AB - Due to the lack of quantitative information and for cost-efficiency, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk indicators by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. For instance, in an extended enterprise this may mean over investing in service level agreements or obtaining a contract that provides a lower security level than the system requires. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk indicators that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of the measurement theory to risk indicators, we analyze the indicators used by a risk assessment method specially developed for assessing confidentiality risks in networks of organizations.

    KW - IR-73270

    KW - Security

    KW - Measurement

    KW - EWI-18475

    KW - RISK ASSESSMENT

    KW - METIS-271034

    KW - SCS-Services

    M3 - Report

    T3 - CTIT Technical Report Series

    BT - Towards Validating Risk Indicators Based on Measurement Theory (Extended version)

    PB - Centre for Telematics and Information Technology (CTIT)

    CY - Enschede

    ER -

    Morali A, Wieringa RJ. Towards Validating Risk Indicators Based on Measurement Theory (Extended version). Enschede: Centre for Telematics and Information Technology (CTIT), 2010. 6 p. (CTIT Technical Report Series; TR-CTIT-10-31).