A Test of Structured Threat Descriptions for Information Security Risk Assessments

Henrik Karlzen, Johan Bengtsson, Jonas Hallberg

Abstract

Assessing information security risks has proven difficult, with prevalent methods lacking clarity and resulting in assessments that vary with the rater. In this paper, we use a questionnaire based approach to investigate whether a more structured method, partitioning threat descriptions into smaller parts, can be useful. Although the new method did not result in less cognitive load, lower uncertainty, or overall reduced rater-dependency, there were strong indications that it lowered rater-dependency among raters with the highest expertise, reaching the consensus levels of experts in the intrusion detection domain. Conversely, non-experts seem to perform better with the traditional descriptive method. Caution is needed when interpreting this, as the Dunning-Kruger effect may have skewed the self-reporting of expertise. Further, the less certain raters were more prone to rate severity lower, indicating the missing variable of risk aversion. Moreover, other kinds of bias are discussed, and further structuring is proposed.

References

Download


Paper Citation


in Harvard Style

Karlzen H., Bengtsson J. and Hallberg J. (2018). A Test of Structured Threat Descriptions for Information Security Risk Assessments.In Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-282-0, pages 469-476. DOI: 10.5220/0006719604690476


in Bibtex Style

@conference{icissp18,
author={Henrik Karlzen and Johan Bengtsson and Jonas Hallberg},
title={A Test of Structured Threat Descriptions for Information Security Risk Assessments},
booktitle={Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2018},
pages={469-476},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006719604690476},
isbn={978-989-758-282-0},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Test of Structured Threat Descriptions for Information Security Risk Assessments
SN - 978-989-758-282-0
AU - Karlzen H.
AU - Bengtsson J.
AU - Hallberg J.
PY - 2018
SP - 469
EP - 476
DO - 10.5220/0006719604690476