Some Problems in Quantified Security
Licentiate thesis, 2010

This thesis contains work related to quantitative representation and analysis of computer and information security. The ability to accurately describe security using quantitative methods could offer better control and evaluation of security in operational settings. However, a number of challenges remain, generally in modeling but also in validation and usability. In this work, we improve knowledge about two identified challenges: (i) validation of methods and (ii) decision-making using quantified risk. The first part of the thesis critically surveys many of the proposed methods to quantitatively describe security, by focusing on their validity. After defining a taxonomy, we survey assumptions and methods for validation that have been used in a large fraction of previous work on the subject. We find that many methods lack clear validation with respect to operational environments, and how some model assumptions are not empirically well-supported. We also discuss the characteristics of operational security that make modeling and quantification a remaining challenge. Furthermore, we discuss what future efforts could target in validating quantitative methods for operational security. In the second part we consider a specific type of quantified security: quantified risk, an existing proposal to analyze security quantitatively in terms of probabilities and losses of events. We relate this to the usability of quantified information when people make risky decisions, drawing on previous experimental work in behavioral economics. A common assumption in economic and quantitative analysis of security is that correct knowledge about quantified risk leads to rational decision-making. However, previous experimental results show that people are not always handling quantitative information rationally. We hypothesize that this may impact security decision-making using quantified risk, and study this for two security decision-making problems by a combined theoretical and numerical study. This thesis has two main conclusions. First, validity of many current methods in quantified security is unknown, but there is room for improvement. Second, there are potential decision-making problems in using quantified risk for control of operational security.

computer security

quantified risk

quantified security

risk behavior

operational risk

security metrics

information security

survey

quantitative models

decision-making

risk perception

HC3
Opponent: Ketil Stölen

Author

Vilhelm Verendel

Chalmers, Computer Science and Engineering (Chalmers)

Other publications Research

Subject Categories

Computer and Information Science

Technical report L - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University

Publisher

Chalmers

HC3

Opponent: Ketil Stölen

More information

Latest update

9/4/2020 1

Feedback and support

If you have questions, need help, find a bug or just want to give us feedback you may use this form, or contact us per e-mail research.lib@chalmers.se.

About

Research.chalmers.se contains research information from Chalmers University of Technology, Sweden. It includes information on projects, publications, research funders and collaborations.

More about coverage period and what is publicly available

Privacy and cookies

Accessibility

Citation Style Language
citeproc-js (Frank Bennett)

Links

Chalmers Library
Chalmers Research
Chalmers Student Theses

Chalmers University of Technology

SE-412 96 GOTHENBURG, SWEDEN
PHONE: +46 (0)31-772 10 00
WWW.CHALMERS.SE