Risk management is the culture, processes and structures that are directed towards effective management of potential opportunities and adverse effects. Manage risk involves making decision on which risks to treat, what treatment to use and finding the bal ance between protection and business opportunities. The goal is to obtain a correct level of security. Decision-makers need numbers to be able to make an optimal investment and to effective distribute the available resources.
Security attacks are future events and we have limited amount of relevant information sources, hence we need to combine disparate information sources. This work focus on quantifying security risks using disparate information sources, meaning all information sources available, such as experience from similar incidents in relevant systems and experience and knowledge of domain experts. We focus on two types of information sources, empirical data and subjective expert judgment, and how to combine these when providing economical values as input to the decision-maker process. The focus is on maximising the potential of the resources used on treating risks by doing trade-off between potential loss for risks and the costs of implementing treatments.
We will develop a methodology that sup ports this cost-benefit strategy that support decision-makers when deciding on which risks in need of treatment and what treatment option to use. The goal is on maximize the effect of the resources used. The approach will be evaluated through a set of tri als.