A Quantitative Risk Analysis Approach for Deliberate Threats

  • Nikos Vavoulas
  • Christos Xenakis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6712)


Recently, organizations around the world are becoming aware of the need to run risk management programs in order to enhance their information security. However, the majority of the existing qualitative/empirical methods fail to adhere to the terminology defined by ISO 27000-series and treat deliberate threats in a misleading way. In this paper, a quantitative risk analysis approach for deliberate threats is introduced. The proposed approach follows the steps suggested by the ISO 27005 standard for risk management, extending them in order to focus on deliberate threats and the different information security incidents that realize them. It is based on three-levels: the conceptual foundation level, the modeling tools level and the mathematical foundation level. The conceptual foundation level defines and analyzes the terminology involved, using unified modeling language (UML) class diagrams. The modeling tools level introduces certain tools that assist in modeling the relations among different concepts. Finally, the mathematical foundation level includes all the different mathematical formulas and techniques used to estimate risk values for each threat.


risk analysis quantitative deliberate threat risk estimation risk identification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Shneier, B.: Attack Trees: Modeling security threats. Dr. Dobb’s Journal (1999),
  2. 2.
    Shneier, B.: Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)Google Scholar
  3. 3.
    International Organization for Standarization, ISO/IEC 27001, Information Technology – Security Techniques – Information Security Management systems – Requirements (2005)Google Scholar
  4. 4.
    International Organization for Standarization, ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security management (2005)Google Scholar
  5. 5.
    International Organization for Standardization (ISO), ISO/IEC 27005: Information technology – Security techniques – Information security risk management (2008)Google Scholar
  6. 6.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology, NIST (2002)Google Scholar
  7. 7.
    Computer Emergency Response Team (CERT), Carnegie Mellon University, Cert Statistics (Historical),
  8. 8.
    Moore, P.A., Ellison, J.R., Linger, C.R.: Attack Modeling for Information Security and Survivability. Carnegie Mellon University, Technical Note (2001)Google Scholar
  9. 9.
    International Organization for Standarization, ISO/IEC 27000, Information technology - Security techniques - Information security management systems - Overview and vocabulary (2009)Google Scholar
  10. 10.
    CRAMM User Guide, Version 5.0 & 5.1 (2005),
  11. 11.
    Zaobin, G., Jiufei, T., Ping, W., Vijay, V.: A Novel Security Risk Evaluation for Information Systems. In: Proceedings of the 2007 Japan-China Joint Workshop on Frontier of Computer Science and Technology, pp. 67–73 (2007)Google Scholar
  12. 12.
    Benini, M., Sicari, S.: Assessing the risk to intercept VoIP calls. Journal of Computer Networks 52(12), 2432–2446 (2008)CrossRefGoogle Scholar
  13. 13.
    Object Management Group (OMG), Unified Modeling Language Specifications,
  14. 14.
  15. 15.
    OCTAVE Information Security Risk Evaluation,

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Nikos Vavoulas
    • 1
  • Christos Xenakis
    • 1
  1. 1.Department of Digital SystemsUniversity of PiraeusGreece

Personalised recommendations