IT Security as Risk Management - overview
This project started as the Security for System S project, where there is a need for a flexible access control system. This access control system returns three kinds of decisions: allow, deny and allow with risk mitigation measures; where the choice of mitigation measures depends on the quantified estimate of risk associated with allowing the access and the organization’s risk tolerance.
This concept is further extended to view IT Security as Risk Management. The basic idea is described in IBM Research Report RC24529. We view the source of risk as the uncertainty associated with a decision. An IT security decision may or may not lead to a undesired consequence, which may include tangible damage such monetary loss, and/or intangible damage such as damage to reputation. The probability of occurrences of such undesired consequences and the magnitudes of damages are the two main factors we need to estimate and manage.
In general, neither the probabilities nor the magnitudes of damages can be estimated with high precision. So we aim to continuously collect data and expert opinions to estimate and continuously refine the distributions of damages and the distributions of probabilities (a pdf in [0,1]).
Being able to produce and refine these estimates are only half of the story. We have been studying ways to use these estimates to make informed security decisions so as to maximize the utility of resources, sharing of information, ... and still keep the overall risk within an acceptable level.
Our related publications can be found here.