LAWRENCE A. GORDON, and MARTIN P. LOEB

ious aspects of information security risk and propose a methodology that allows decision makers to combine them into a single composite metric—the perceived composite risk, or PCR.

We recommend using the Analytic Hierarchy Process (AHP) [ 8] to determine the weighting factors needed to combine risk measures into the PCR. We offer an example of how decision makers can use the PCR to evaluate proposals for enhancing an organization’s information-security system. Here, we build on the AHP analysis in [ 1] for assisting CISOs ranking proposals intended to enhance their organizations’ information security systems. ²

Three measures that capture commonly considered facets of risk are the expected loss, expected severe loss, and standard deviation of the loss.

The expected loss is calculated by adding

 

2

For more on the allocation of resources in information security, see [ 2, 4].

3

We assume loss is a discrete random variable.

together the product of each loss with its respective probability. ³ The expected loss is conceptually equivalent to the popular Annual Loss Expectancy (ALE) measure (see, for example, [ 3]). Based on this measure, the larger the expected loss, the larger would be the risk associated with a breach of information security.

The expected severe loss focuses on the breaches that would put the survivability of the organization at risk. In order to calculate the expected severe loss, the decision maker (such as a CISO) first specifies the magnitude of a loss that, were it to occur, would threaten the organization’s survivability. The expected severe loss is calculated by adding together the product of each loss that is greater than or equal to the specified threshold loss with its respective probability. Based on this metric, the larger the expected severe loss, the larger would be the risk associated with a breach of information security.

The standard deviation of loss (the square root of the variance of loss) represents the dispersion