Assessment of likelihood and consequence for information security risks – A weighted study

Authors:

  • Jonas Hallberg
  • Johan Bengtsson
  • Henrik Karlzén

Publish date: 2015-12-17

Report number: FOI-R--4152--SE

Pages: 43

Written in: Swedish

Keywords:

  • likelihood
  • consequence
  • risk
  • information security
  • AHP

Abstract

The likelihood and consequence of threats against the IT systems planned for the Swedish Armed Forces has to be assessed early in the life-cycle of these systems. Currently, several different method are used for this purpose. The different approaches have a common characteristic that absolute values for the likelihood and consequence are to be provided for each threat. This report describes two studies focused on finding an alternative method for assessing likelihood and consequence. The first study included a needs assessment performed to identify needs related to the assessment of likelihood and consequence of threats against planned IT systems. The second study resulted in a method based on the comparisons of threats rather than the assignment of absolute likelihood and consequence values. An experiment was performed in order to evaluate the proposed method. The evaluation was performed as a comparison with a method based on assigning absolute likelihood and consequence values. In the experiment a basic version of the proposed method was used and the results show no advantages of this configuration of the proposed method as compared to the currently used method. The needs analysis, the proposed method, and the results of the experiment show that there are needs as well as opportunities to improve the methods for assessment of likelihood and consequence. Consequently, the proposed method should be further developed in order to be able to out-perform the method currently used and further experiments on various aspects of comparison-based methods are needed.