This study aims to argue that in the case of quantitative security risk assessment, individuals do not estimate probabilities as a likelihood measure of event occurrence.
The study uses the most commonly used quantitative assessment approach, the annualized loss expectancy (ALE), to support the three research hypotheses.
The estimated probabilities used in quantitative models are subjective.
The ALE model used in security risk assessment, although it is presented in the literature as quantitative, is, in fact, qualitative being influenced by bias.
The study provides a factual basis showing that quantitative assessment is neither realistic nor practical to the real world.
A model that cannot be tested experimentally is not a scientific model. In fact, the probability used in ISRM is an empirical probability or estimator of a probability because it estimates probabilities from experience and observation.
Munteanu, A. (2017), "Running the risk IT – more perception and less probabilities in uncertain systems", Information and Computer Security, Vol. 25 No. 3, pp. 345-354. https://doi.org/10.1108/ICS-07-2016-0055
Emerald Publishing Limited
Copyright © 2017, Emerald Publishing Limited