Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma

Abstract:

This paper presents main security risk assessment methodologies used in information technology. The author starts from [Sherer and Alter, 2004] and [Ma and Pearson, 2005] research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst.  Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.