Towards quantitative risk management for next generation networks

Abstract

While user dependence on ICT is rising and the information security situation is worsening at an alarming rate, IT industry is not able to answer accurately and in time questions like "How secure is our information system?" Consequently, information security risk management is reactive and is lagging behind incidents. To overcome this problem, risk management paradigm has to change from reactive to active and from qualitative to quantitative. In this section, we present a computerized risk management approach that enables active risk management and is aligned with the leading initiative to make security measurable and manageable. Furthermore, we point out qualitative methods deficiencies and argue about the importance of use of quantitative over qualitative methods in order to improve accuracy of information security feedback information. Finally, we present two quantitative metrics, used together in the model, and enabling a quantitative risk assessment and support risk treatment decision making. © 2012 Springer-Verlag Berlin Heidelberg.