around the expected loss. It is computed by taking the square root of the product of squares of the deviation of each loss from the expected loss with the probability of that loss. Based on this metric, the larger the standard deviation, the larger would be the risk associated with a security breach. We used the standard deviation of loss rather than the variance of loss because the standard deviation of loss is measured in the same units (for example, dollars) as both the expected loss and the expected severe loss.

To illustrate the three ^{Expected loss:} metrics, let X be a random variable representing the loss (in millions

Expected severe loss:

of dollars) attributable to a breach. In a proposal (Proposal 1) for enhancing information security Standard deviation of loss: activities, X has the following discrete uniform distribution:

PCR = E[X]+[B/A] E[XIX T]+[C/A]

where the weights A, B, and C are determined from the AHP. These weights are positive, sum to one, and reflect the relative importance of the performance metrics to the decision maker. An overview of the AHP (in an information-security-investment context) is given in [ 1].

Before turning to the question of how these weights are derived through AHP, consider three properties of the PCR:

P[X=x] = . 1 0, 1, 2, ..., 9.

for x =

X = random variable representing the loss in millions of dollars attributable to a breach
P [X=x] = probability the loss attributable to the breach equals x
x = 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
T = $8 million (threshold loss)

The expected loss from a breach, E[X], under Proposal 1 is equal to $4.5 million, as shown by the calculation in the figure here. In order to calculate the expected severe loss, the decision maker must first specify a threshold level. Suppose that level, denoted by T, is judged to be 8, that is, any

breach that costs $8 million or more is believed to put the survivability of the organization at risk. ¹ The expected severe loss,

E[XIX T], under Pro- ¹ posal 1 is equal to $1.7 1/2 million, as shown by the calculation in the figure.

The standard deviation of loss, denoted by , under the loss function defined for Proposal 1 is equal to $2.87 million, as shown by the calculation in the figure.

Calculation of expected loss, expected severe loss, and standard deviation of loss in Proposal 1.

• It equals the expected loss plus two penalty terms;

• The penalty term, [B/A] E[XIX T], measures an additional perceived loss due to the occurrence of a severe loss; and

• The penalty term, [C/A] , measures an additional perceived loss due to variability in predicting the loss.

Expected Loss E[X]

Expected Severe Loss E[X|X T]

Standard Deviation of Loss

 

COMPUTING EXPECTED PCR For a given set of information-security activities, the PCR is a linear combination of the expected loss, the expected severe loss, and the standard deviation of loss that can be attributable to a breach:

The weights A, B, and
C measure the emphasis the CISO wants to place on
the three risk measures: expected loss, expected severe
loss, and standard deviation. The weights on the three
terms are 1, B/A, and C/A. Without the loss of gen-
erality, one can normalize the weights on the terms in
the PCR so the weight on
the expected loss, E[X], is
equal to one. In that way,
^{. 4} a decision maker who
wants the PCR to equal
1 2. 4
the expected loss would
1/2 1. 2 set B = 0 and C = 0 in the
equation defining PCR.

To illustrate the AHP method for determining the values of the weights, we consider a numerical

example. Table 1 lists a pairwise comparison matrix of the three measures: expected loss, expected severe loss, and standard deviation of the loss. The pairwise comparison matrix is made up of columns 2– 4 and rows 2– 4 in the table. The final column lists the weights as determined by the eigenvector associated with the maximum eigenvalue for the pairwise comparison

Expected Expected Standard Weights Loss E[X] Severe Loss Deviation of

E[X|X T] Loss 12

 

Table 1. Pairwise comparison matrix and weights for the example.