Quantitative Risk Analysis With Qualitative Statements

Abstract

Cybersecurity risk analysis is crucial for organizations to assess, identify, and prioritize possible threats to their systems and assets. Organizations seek to assess the potential costs of risks in order to determine how to invest in mitigating those risks. Risk analysts rely on qualitative methods to analyze risks. However, qualitative approaches do not produce a complete idea of the loss. The current methods lack efficacy in enabling analysts to make informed decisions. It is crucial to support analysts in their decision-making process by offering means to quantify risks. For this reason, recent studies introduced quantitative risk analysis (QRA) methods to assist organizations in determining risk mitigation strategies and resource allocation. Organizations must use QRA methods to identify and prioritize risks rather than relying on qualitative methods. However, risk analysts tend to prefer quantitative methods since they do not require precise probability estimations.

This thesis proposes a spreadsheet-based QRA method based on verbal likelihoods. Our approach relies on tables constructed by experts that map linguistic likelihood to probability ranges. Using linguistic terms to estimate risk's probability of occurrence will help experts apply quantitative estimation. We eliminate the need to assign exact probabilities by providing a tool that accepts natural language words as input. In modern approaches, Monte Carlo simulation is an important step in QRA to estimate the total loss for risks. For each risk's probability, we will estimate a continuous distribution to use in the simulation. Users will define their own linguistic terms to use them in the risk estimation process. The key benefit of our tool lies in its adaptability across various industries, empowering risk analysts to apply it according to their distinct needs. The tool grants analysts the flexibility to define estimation terms, enhancing precision in their analyses. Finally, we conducted experiments with real examples to validate our approach's accuracy, statistical significance and reliability. We compared our results with those obtained from other methods in the literature. Also, we conducted tests to measure our model's performance and robustness. Our study demonstrates the effectiveness of our approach and its potential to apply it in real-world applications.