Abstract
Cost evaluation often constitutes a substantial part of the total risk analysis. Often, models that use decision theoretical methods at different levels in the risk evaluation process are unable to take into account situations where the available information concerning the consequences of different incidents is vague or numerically imprecise. Based on a more general theory for decision analysis, a method for cost evaluation is suggested. It includes well-founded and computable procedures that enable a risk manager to work with interval statements and comparisons. The method is easy to implement in a computer system and does not require the use of numerically overprecise statements of probability and cost. The evaluation results in an interval that expresses the maximum and minimum expected cost with respect to the estimations of the risk manager. The interval can be further investigated with respect to the range of values consistent with the estimations. The method extends a risk evaluation process currently in use in Telia AB (formerly Swedish Telecom).
Chapter PDF
Similar content being viewed by others
References
Bellman, R., and Zadeh, L.A.: 1970, Decision Making in Fuzzy Environment“, Management Science 17, pp.B144-B-164.
Broder, J.F.: 1984, Risk Analysis and the Security Survey. Butterworth Publishers.
Choquet, G.: 1953/54, “Theory of Capacities”, Ann. Inst. Fourier 5, pp. 131–295.
Courtney, R.H.: 1977, “Security Risk Assessment in Electronic Data Processing”, AFIPS NCC 46.
Dempster, A.P.: 1967, Upper and Lower Probabilities Induced by a Multivalued Mapping“. Annals of Mathematical Statistics, XXXVIII, pp. 325–339.
Dixon, G.: 1990, Riskanalys SBF — Svenska Brandförsvarsfdreningen.
ESF: 1991, A Risk Analysis Method which is Easy to Understand and Simple to Apply, Draft Method, European Security Forum.
Ekenberg, L.: 1994a, Decision Support in Numerically Imprecise Domains, Ph.D. thesis, Report 94–003-DSV, Department of Computer and Systems Sciences, Stockholm University.
Ekenberg, L., and Danielson, M.: 1994b, “A Support System for Real-Life Decisions in Numerically Imprecise Domains”, Proceedings of the International Conference on Operations Research ‘84, Springer Verlag, 1994.
Ekenberg, L., Oberoi, S., and Orci, I.: 1994c, “A Cost Model for Managing Information Security Hazards”, Proceedings of 10th IFIP SEC Conference, Elsevier, North-Holland, 1994.
Fishbum, P.: 1981, “Subjective Expected Utility: A Review of Normative Theories”, Theory and Decision 13, pp. 139–199.
Freeling, A.N.S.: 1980, “Fuzzy Sets and Decision Analysis”, IEEE Transactions on Systems, Man, and Cybernetics, Vol. SMC-10, No.7, pp.341–354.
Good, I. J.: 1962, “Subjective Probability as the Measure of a Non-measurable Set”, Logic, Methodology, and the Philosophy of Science, eds. Suppes, Nagel, Tarski, pp.319–329, Stanford University Press.
Green, B.: 1992, “Vad kan bankerna lära sig av en entrepenör som utvecklas till organisationsforskare”, Riskbedömning — kunskap om risker, NUTEK, Stockholm, pp. 121–126.
Gärdenfors, P., and Sahlin, N-E.: 1982, “Unreliable Probabilities, Risk Taking, and Decision Making”, Synthese 53, pp. 361–386.
Hamilton, G.: 1988, This is Risk Management, Studentlitteratur, Chartwell-Bratt.
Huber, P.J.: 1973a, “The Case of Choquet Capacities in Statistics”, Bullentin of the International Statistical Institute, Vol. 45, book 4, pp.181–188.
Huber, P.J., and Strassen, V.: 1973b, “Minimax Tests and the Neyman-Pearsons Lemma for Capacities”, Annals of Statistics 1, pp. 251–263.
Levi, I.: 1974, “On Indeterminate Probabilities”, The Journal of Philosophy, Vol. 71, pp. 391–418.
Malmnäs, P-E.: 1994a, “Towards a Mechanization of Real Life Decisions”, Papers in Logic, Methodology, and Philosophy of Science, eds. Prawitz and Westerstâhl, Kluwer Academic Publishers, Dortrecht.
Malmnäs, P-E.: 1994b, “Axiomatic Justifications of the Utility Principle”, Synthese, Vol. 99, No. 2.
Malmnäs, P-E., Danielson, M., and Ekenberg, L.: 1995, Decision Analysis of the Spent Nuclear Fuel Issue in Sweden forthcoming.
Nilsson, N.: 1986, “Probabilistic Logic”, Artificial Intelligence 28, pp. 71–87.
Pfleger, C.P.: 1989, Security in Computing, Prentice-Hall, Inc.
SAF: 1986, Riskanalys Näringslivets Beredskapsbyrâ.
Shafer, G.: 1976, A Mathematical Theory of Evidence Princeton University Press.
Smith, C.A.B.: 1961, “Consistency in Statistical Inference and Decision”, Journal of the Royal Statistic Society, Series B, XXIII, pp. 1–25.
Statskontoret: 1989–91, Vagledning i ADB-säkerhet 1–8.
Weichelberger, K., and Millman, S.: 1990, A Methodology for Uncertainty in Knowledge-Based Systems, Lecture Notes in Artificial Intelligence, Springer-Verlag.
Werrndalen, H.: 1991, Securitas — Säkerhetsboken 1992 Studentlitteratur.
Wrede, R.: 1984, “The SBA Method: A Method for Testing Vulnerability”, IFIP/Sec ‘84, pp. 313–320.
Zimmermann, H.J., Zadeh, L.A., and Gaines, B.R.: 1984, Fuzzy Sets and Decision Analysis TIMS Studies in the Management Sciences, Vol. 20, North-Holland.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1995 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Ekenberg, L., Danielson, M. (1995). Handling Imprecise Information in Risk Management. In: Eloff, J.H.P., von Solms, S.H. (eds) Information Security — the Next Decade. IFIP Advances in Information and Communication Technology. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-34873-5_27
Download citation
DOI: https://doi.org/10.1007/978-0-387-34873-5_27
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-5041-2910-7
Online ISBN: 978-0-387-34873-5
eBook Packages: Springer Book Archive