An Application of Probabilistic Risk Assessment to Information Security Audit

After the information security audit, the auditor commonly points out the importance of information assets, the vulnerability of the audited information system, and the need of countermeasures. On such an occasion, the audited often ask the auditor for the quantitative assessment of the risk so that they can take specific measures. Nevertheless, in reality, the auditor can hardly meet this requirement because they do not have any appropriate methods to assess the risk quantitatively and systematically. Therefore, this paper proposes the approach that makes it possible to identify the scenarios of information security accidents systematically, to assess the risk of the occurrence of the scenario quantitatively, and to point out the importance of taking countermeasures by incorporating Probabilistic Risk Assessment in information security audit. For the concrete description and explanation of this approach, this paper takes the case of the audit of password management as an example. By enumerating the possible scenarios that indicate how initiating events, the vulnerability of mitigation systems, and the failures of operations can allow illegal accesses to the information assets, this paper shows that it is possible to assess the security risks by the pair of defenseless time span and its occurrence frequency of each scenario. Finally, since the parameters necessary for risk quantification such as the occurrence frequency of password theft, the probability of theft detection, and the probability of taking countermeasure after the theft have uncertainty, the uncertainty of the occurrence of the scenario itself is assessed by propagating the incompleteness of the knowledge of these parameters with random digits.