The quantification of information systems risk

A look at quantitative responses to information security issues

Craig Wright

Research output: ThesisDoctoral Thesis

692 Downloads (Pure)

Abstract

This thesis demonstrates information security can be modelled through a systematic integration of the human, system and software aspects of risk. The creation of risk models based on the deployment of a combination of these approaches drawing on the advanced statistical techniques now available and the creation of game theoretic quantitative models of risk to information systems within set confidence levels is shown to be achievable. This research demonstrates that it is feasible to investigate and quantify the root cause of security flaws that act as a source of system compromise allowing business and governments to most efficiently allocate funds in controlling risk. The thesis demonstrates that to do this requires integrated models that account for the various risk dimensions in information security. Research into the effects of poor system design, market-based risk solutions based on derivative instruments and the impact of common system misconfigurations is incorporated into multivariate survival models. This research also addresses the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and when assigning costs in computer system security and reliability engineering.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • Charles Sturt University
Supervisors/Advisors
  • Zia, Tanveer, Principal Supervisor
  • Wong, Alfred, Co-Supervisor
Award date08 Feb 2017
Place of PublicationAustralia
Publisher
Publication statusPublished - 2017

Fingerprint

Quantification
Information security
Security issues
Information systems
Costs
Compromise
Survival model
Integrated model
Derivatives
Government
Quantitative model
Software
Confidence set
Risk model
Economic impact
System design
Computer systems
Liability

Cite this

@phdthesis{0ef2afdceaa34d81b1026f4e72408fba,
title = "The quantification of information systems risk: A look at quantitative responses to information security issues",
abstract = "This thesis demonstrates information security can be modelled through a systematic integration of the human, system and software aspects of risk. The creation of risk models based on the deployment of a combination of these approaches drawing on the advanced statistical techniques now available and the creation of game theoretic quantitative models of risk to information systems within set confidence levels is shown to be achievable. This research demonstrates that it is feasible to investigate and quantify the root cause of security flaws that act as a source of system compromise allowing business and governments to most efficiently allocate funds in controlling risk. The thesis demonstrates that to do this requires integrated models that account for the various risk dimensions in information security. Research into the effects of poor system design, market-based risk solutions based on derivative instruments and the impact of common system misconfigurations is incorporated into multivariate survival models. This research also addresses the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and when assigning costs in computer system security and reliability engineering.",
author = "Craig Wright",
note = "Thesis",
year = "2017",
language = "English",
publisher = "Charles Sturt University",
address = "Australia",
school = "Charles Sturt University",

}

Wright, C 2017, 'The quantification of information systems risk: A look at quantitative responses to information security issues', Doctor of Philosophy, Charles Sturt University, Australia.

The quantification of information systems risk : A look at quantitative responses to information security issues. / Wright, Craig.

Australia : Charles Sturt University, 2017. 362 p.

Research output: ThesisDoctoral Thesis

TY - THES

T1 - The quantification of information systems risk

T2 - A look at quantitative responses to information security issues

AU - Wright, Craig

N1 - Thesis

PY - 2017

Y1 - 2017

N2 - This thesis demonstrates information security can be modelled through a systematic integration of the human, system and software aspects of risk. The creation of risk models based on the deployment of a combination of these approaches drawing on the advanced statistical techniques now available and the creation of game theoretic quantitative models of risk to information systems within set confidence levels is shown to be achievable. This research demonstrates that it is feasible to investigate and quantify the root cause of security flaws that act as a source of system compromise allowing business and governments to most efficiently allocate funds in controlling risk. The thesis demonstrates that to do this requires integrated models that account for the various risk dimensions in information security. Research into the effects of poor system design, market-based risk solutions based on derivative instruments and the impact of common system misconfigurations is incorporated into multivariate survival models. This research also addresses the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and when assigning costs in computer system security and reliability engineering.

AB - This thesis demonstrates information security can be modelled through a systematic integration of the human, system and software aspects of risk. The creation of risk models based on the deployment of a combination of these approaches drawing on the advanced statistical techniques now available and the creation of game theoretic quantitative models of risk to information systems within set confidence levels is shown to be achievable. This research demonstrates that it is feasible to investigate and quantify the root cause of security flaws that act as a source of system compromise allowing business and governments to most efficiently allocate funds in controlling risk. The thesis demonstrates that to do this requires integrated models that account for the various risk dimensions in information security. Research into the effects of poor system design, market-based risk solutions based on derivative instruments and the impact of common system misconfigurations is incorporated into multivariate survival models. This research also addresses the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and when assigning costs in computer system security and reliability engineering.

M3 - Doctoral Thesis

PB - Charles Sturt University

CY - Australia

ER -