Running the risk IT – more perception and less probabilities in uncertain systems

Adrian Munteanu (Faculty of Economics and Business Administration, Alexandru Ioan Cuza University, Iasi, Romania)

Information and Computer Security

ISSN: 2056-4961

Publication date: 10 July 2017



This study aims to argue that in the case of quantitative security risk assessment, individuals do not estimate probabilities as a likelihood measure of event occurrence.


The study uses the most commonly used quantitative assessment approach, the annualized loss expectancy (ALE), to support the three research hypotheses.


The estimated probabilities used in quantitative models are subjective.

Research limitations/implications

The ALE model used in security risk assessment, although it is presented in the literature as quantitative, is, in fact, qualitative being influenced by bias.

Practical implications

The study provides a factual basis showing that quantitative assessment is neither realistic nor practical to the real world.


A model that cannot be tested experimentally is not a scientific model. In fact, the probability used in ISRM is an empirical probability or estimator of a probability because it estimates probabilities from experience and observation.



Munteanu, A. (2017), "Running the risk IT – more perception and less probabilities in uncertain systems", Information and Computer Security, Vol. 25 No. 3, pp. 345-354.



Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited

To read the full version of this content please select one of the options below

You may be able to access this content by logging in via Shibboleth, Open Athens or with your Emerald account.
To rent this content from Deepdyve, please click the button.
If you think you should have access to this content, click the button to contact our support team.