To read this content please select one of the options below:

Running the risk IT – more perception and less probabilities in uncertain systems

Adrian Munteanu (Faculty of Economics and Business Administration, Alexandru Ioan Cuza University, Iasi, Romania)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 10 July 2017




This study aims to argue that in the case of quantitative security risk assessment, individuals do not estimate probabilities as a likelihood measure of event occurrence.


The study uses the most commonly used quantitative assessment approach, the annualized loss expectancy (ALE), to support the three research hypotheses.


The estimated probabilities used in quantitative models are subjective.

Research limitations/implications

The ALE model used in security risk assessment, although it is presented in the literature as quantitative, is, in fact, qualitative being influenced by bias.

Practical implications

The study provides a factual basis showing that quantitative assessment is neither realistic nor practical to the real world.


A model that cannot be tested experimentally is not a scientific model. In fact, the probability used in ISRM is an empirical probability or estimator of a probability because it estimates probabilities from experience and observation.



Munteanu, A. (2017), "Running the risk IT – more perception and less probabilities in uncertain systems", Information and Computer Security, Vol. 25 No. 3, pp. 345-354.



Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited

Related articles