Abstract
According to the Basel II Accord for banks and Solvency II for the insurance industry, not only should the market and financial risks for the institutions be determined, also the operational risks (opRisk). In recent decades, Value at Risk (VaR) has prevailed for market and financial risks as a basis for assessing the present risks. Occasionally, there are suggestions as to how the VaR is to be determined in the field of operational risk. However, existing proposals can only be applied to an IT infrastructure to a certain extent, or to parts of them e.g. such as VoIP telephony. In this article, a proposal is discussed to calculate a technical Value at Risk (t-VaR). This proposal is based on risk scenario technology and uses the conditional probability of the Bayes theorem. The vulnerabilities have been determined empirically for an insurance company in 2012. To determine the threats, attack trees and threat actors are used. The attack trees are weighted by a function that is called the criminal energy. To verify this approach the t-VaR was calculated for VoIP telephony for an insurance company. It turns out that this method achieves good and sufficient results for the IT infrastructure as an effective method to meet the Solvency II’s requirements.
Chapter PDF
Similar content being viewed by others
Keywords
References
Embrechts, P., Furrer, H., Kaufmann, R.: Quantifying regulatory capital for operational risk. Derivatives Use, Trading and Regulation 9, 217–233 (2003)
Weis, J.D.: A system security engineering process. In: Proceedings of the 14th National Computer Security Conference (1991)
Leippold, M., Vanini, P.: The quantification of operational risk (November 2003)
Böcker, K., Klüppelberg, C.: Operational var: A closed-form approximation (December 2005)
SC27, ISO/IEC 27001:2005, information technology - security techniques - information security management systems - requirements. Beuth-Verlag, Berlin (October 2005)
Artzner, P., Delbaen, F., Eber, J.-M., Heath, D.: Coherent measures of risk. Math. Finance 9(3), 203–228 (2001)
Markowitz, H.M.: Portfolio Selection: Efficient Diversification of Investment. Blackwell Publishers Ltd., Oxford (1991); Originally published in 1959 by John Wiley & Sons, Inc., New York
Schneier, B.: Attack trees. Dr. Dobb’ s Journal 24(12), 21–29 (1999)
Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability, Technical Note CMU/SEI-2001- TN-001, Carnegie Mellon University (2001)
Sheyner, O., Wing, J.: Tools for Generating and Analyzing Attack Graphs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 344–371. Springer, Heidelberg (2004)
Ingoldsby, T.R.: Fundamentals of Capabilities-based Attack Tree Analysis. Amenaza Technologies Limited, 406–917 85th St SW, m/s 125
Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)
Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–defense trees and two-player binary zero-sum extensive form games are equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010)
Mosleh, A., Hilton, E.R., Browne, P.S.: Bayesian probabilistic risk analysis. ACM SIGMETRICS – Performance Evaluation Review 13 (June 1985)
Taleb, N.N.: The Black Swan. The Impact of the Highly Improbable. Random House Inc. (2008)
Federal Office for Security in Information Technology, Baseline Protection Guide Germany. Bundesanzeiger (2006)
Federal Office for Security in Information Technology, IT Baseline Protection Handbook, Bundesanzeiger, Cologne (2003-2005)
Martinez-Moyano, I.J., Rich, E., Conrad, S., Andersen, D.F., Stewart, T.R.: A behavioral theory of insider-threat risks: A system dynamics approach. ACM Transactions on Modeling and Computer Simulation 18 (April 2008)
Kaplan, S., Garrick, B.J.: On the quantitative definition of risk. Risk Analysis 1 (July 1980)
Dalla Valle, L., Giudici, P.: A bayesian approach to estimate the marginal loss distributions in operational risk management. Comput. Stat. Data Anal. 52(6), 3107–3127 (2008)
Alexander, C.: Bayesian methods for measuring operational risk, Discussion Papers in Finance (2000)
Poolsappasit, N.: Towards an Efficient Vulnerability Analysis Methodology for better Security Risk Management. PhD thesis, Colorado State University (July 2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Boehmer, W. (2013). How to Estimate a Technical VaR Using Conditional Probability, Attack Trees and a Crime Function. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds) Security Engineering and Intelligence Informatics. CD-ARES 2013. Lecture Notes in Computer Science, vol 8128. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40588-4_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-40588-4_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40587-7
Online ISBN: 978-3-642-40588-4
eBook Packages: Computer ScienceComputer Science (R0)