Quantifying and Analyzing Information Security Risk from Incident Data

  • Gaute WangenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)


Multiple cybersecurity risk assessment and root cause analysis methods propose incident data as a source of information. However, it is not a straightforward matter to apply incident data in risk assessments. The paper trail of incident data is often incomplete, ambiguous, and dependent on the incident handlers routines for keeping records. Current incident classification approaches classify incidents as one specific type, for example, “Data spillage,” “Compromised information,” or “Hacking.” Through incident analysis, we found that the current classification schemes are ambiguous and that most incident consists of additional components. This paper builds on previous work on incident classifications and proposes a method for quantifying and risk analyzing incident data for improving decision-making. The applied approach uses a set of incident data to derive the causes, outcomes, and frequencies of risk events. The data in this paper was gathered from a year of incident handling from a Scandinavian university’s security operations center (SOC), and consists of 550 handled incidents from November 2016 to October 2017. By applying the proposed method, this paper offers empirical insight into the risk frequencies of the University during the period. We demonstrate the utility of the approach by deducting the properties of the most frequent risks and creating graphical representations of risks using a bow-tie diagram. The primary contribution of this paper is the highlighting of the ambiguity of existing incident classification methods and how to address it in risk quantification. Additionally, we apply the data in risk analysis to provide insight into common cyber risks faced by the University during the period. A fundamental limitation is that this study only defines adverse outcomes and does not include consequence estimates.


Information security Cyber security Security incidents Risk analysis Threat intelligence 



The NTNU digital security section and SOC consisting of Christoffer Vargtass Hallstensen, Frank Wikstrøm, Harald Hauknes, Hans Åge Marthinsen, Vebjørn Slyngstadli, Gunnar Dørum, Lars Einarsen, and Stian Husemoen. Vivek Agrawal and the anonymous reviewers for help with quality assurance.


  1. 1.
    Common taxonomy for law enforcement and the national network of csirts, version 1.3. Technical report, ENISA and Europol E3 (2017).
  2. 2.
    Information technology, security techniques, information security risk management (ISO/IEC 27005:2011)Google Scholar
  3. 3.
    Reference incident classification taxonomy: Task force status and way forward. Technical report, ENISA, January 2018Google Scholar
  4. 4.
    Bernsmed, K., Frøystad, C., Meland, P.H., Nesheim, D.A., Rødseth, Ø.J.: Visualizing cyber security risks with bow-tie diagrams. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 38–56. Springer, Cham (2018). Scholar
  5. 5.
    Chapman, J.: How safe is your data? cyber-security in higher education. HEPI Policy Note, 12 April 2019Google Scholar
  6. 6.
    Edwards, B., Hofmeyr, S., Forrest, S.: Hype and heavy tails: a closer look at data breaches. J. Cybersecur. 2(1), 3–14 (2016)CrossRefGoogle Scholar
  7. 7.
    Florêncio, D., Herley, C.: Sex, lies and cyber-crime surveys. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 35–53. Springer, New York (2013). Scholar
  8. 8.
    Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Comput. Secur. 24(1), 31–43 (2005)CrossRefGoogle Scholar
  9. 9.
    Hellesen, N., Torres, H., Wangen, G.: Empirical case studies of the root-cause analysis method in information security. Int. J. Adv. Secur. 11(1&2), 60–79 (2018) Google Scholar
  10. 10.
    Hubbard, D.W., Seiersen, R.: How to Measure Anything In Cybersecurity Risk. Wiley, Hoboken (2016)CrossRefGoogle Scholar
  11. 11.
    Kjaerland, M.: A taxonomy and comparison of computer security incidents from the commercial and government sectors. Comput. Secur. 25(7), 522–538 (2006)CrossRefGoogle Scholar
  12. 12.
    Kuypers, M.A., Maillart, T., Pate-Cornell, E.: An empirical analysis of cyber security incidents at a large organization. Department of Management Science and Engineering, Stanford University, School of Information, UC Berkeley 30 (2016)Google Scholar
  13. 13.
    Potter, B.: Practical threat modeling. Login 41(3) (2016).
  14. 14.
    Romanosky, S.: Examining the costs and causes of cyber incidents. J. Cybersecur. 2(2), 121–135 (2016)Google Scholar
  15. 15.
    Wangen, G.: The role of malware in reported cyber espionage: a review of the impact and mechanism. Information 6(2), 183–211 (2015)CrossRefGoogle Scholar
  16. 16.
    Wangen, G., Brodin, E.Ø., Skari, B.H., Berglind, C.: Unrecorded security incidents at NTNU 2018 (Mørketallsundersøkelsen ved NTNU 2018). NTNU Open Gjøvik (2019)Google Scholar
  17. 17.
    Wangen, G., Hallstensen, C., Snekkenes, E.: A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 17, 1–19 (2017) CrossRefGoogle Scholar
  18. 18.
    Wangen, G., Shalaginov, A., Hallstensen, C.: Cyber security risk assessment of a DDoS attack. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 183–202. Springer, Cham (2016). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Norwegian University of Science and TechnologyGjøvikNorway

Personalised recommendations