Title:
Information Security Risk Assessment: The Qualitative Versus Quantitative
Dilema
Abstract: This paper presents main security risk assessment
methodologies used in information technology. The author starts from [Sherer
and Alter, 2004] and [Ma and Pearson, 2005] research, bringing real-world
examples as to underline limitations of the two risk assessment models. After
a critical review of standards that reveal lack of rigour, a practical comparison
of the quantitative information security risk assessment models with the
qualitative models shows that we can introduce two new factors which have
an impact on risk assessment: time constraint and moral hazard of the analyst.
Information technology managers know that in information systems long-term
security is an ideal situation and that financial impact of poor information
security policies, procedures and standards are in most cases very difficult
to be calculated. These calculations rarely will be accurate and universal
and ready for use by any security analyst.
Author: Adrian Munteanu