The economic framework explored in [3, 6, 7] is useful for evaluating information security activities. A key concept in this framework is the notion of risk management. Even though organizations try to avoid any breach of information security, they cannot make all their information 100% secure all the time. Thus, managing the risk associated with potential breaches is an integral part of resource-allocation decisions associated with information-security activities.^{1} To make such decisions, the chief information security officer (CISO) needs to first be clear as to what is meant by risk.

Risk involves multiple dimensions and meanings within the context of information security. Here, we discuss three measures that capture various aspects of information security risk and propose a methodology that allows decision makers to combine them into a single composite metricthe perceived composite risk, or PCR.

We recommend using the Analytic Hierarchy Process (AHP) [8] to determine the weighting factors needed to combine risk measures into the PCR. We offer an example of how decision makers can use the PCR to evaluate proposals for enhancing an organization's information-security system. Here, we build on the AHP analysis in [1] for assisting CISOs ranking proposals intended to enhance their organizations' information security systems.^{2}

Three measures that capture commonly considered facets of risk are the expected loss, expected severe loss, and standard deviation of the loss.

The expected loss is calculated by adding together the product of each loss with its respective probability.^{3} The expected loss is conceptually equivalent to the popular Annual Loss Expectancy (ALE) measure (see, for example, [3]). Based on this measure, the larger the expected loss, the larger would be the risk associated with a breach of information security.

The expected severe loss focuses on the breaches that would put the survivability of the organization at risk. In order to calculate the expected severe loss, the decision maker (such as a CISO) first specifies the magnitude of a loss that, were it to occur, would threaten the organization's survivability. The expected severe loss is calculated by adding together the product of each loss that is greater than or equal to the specified threshold loss with its respective probability. Based on this metric, the larger the expected severe loss, the larger would be the risk associated with a breach of information security.

The standard deviation of loss (the square root of the variance of loss) represents the dispersion around the expected loss. It is computed by taking the square root of the product of squares of the deviation of each loss from the expected loss with the probability of that loss. Based on this metric, the larger the standard deviation, the larger would be the risk associated with a security breach. We used the standard deviation of loss rather than the variance of loss because the standard deviation of loss is measured in the same units (for example, dollars) as both the expected loss and the expected severe loss.

To illustrate the three metrics, let X be a random variable representing the loss (in millions of dollars) attributable to a breach. In a proposal (Proposal 1) for enhancing information security activities, X has the following discrete uniform distribution:

P[X=x] = .1 for x = 0, 1, 2, ..., 9.

The expected loss from a breach, E[X], under Proposal 1 is equal to $4.5 million, as shown by the calculation in the figure here. In order to calculate the expected severe loss, the decision maker must first specify a threshold level. Suppose that level, denoted by T, is judged to be 8, that is, any breach that costs $8 million or more is believed to put the survivability of the organization at risk. The expected severe loss, *E*[*X|X >= T*], under Proposal 1 is equal to $1.7 million, as shown by the calculation in the figure.

The standard deviation of loss, denoted by s, under the loss function defined for Proposal 1 is equal to $2.87 million, as shown by the calculation in the figure.

### Computing Expected PCR

For a given set of information-security activities, the PCR is a linear combination of the expected loss, the expected severe loss, and the standard deviation of loss that can be attributable to a breach:

*PCR* = *E*[*X*]+[*B*/*A*] *E*[*X|X*>=*T*]+[*C*/*A*] s

where the weights A, B, and C are determined from the AHP. These weights are positive, sum to one, and reflect the relative importance of the performance metrics to the decision maker. An overview of the AHP (in an information-security-investment context) is given in [1].

Before turning to the question of how these weights are derived through AHP, consider three properties of the PCR:

- It equals the expected loss plus two penalty terms;
- The penalty term, [
*B*/*A*]*E*[*X|X*>=*T*], measures an additional perceived loss due to the occurrence of a severe loss; and - The penalty term, [
*C*/*A*] s, measures an additional perceived loss due to variability in predicting the loss.

The weights A, B, and C measure the emphasis the CISO wants to place on the three risk measures: expected loss, expected severe loss, and standard deviation. The weights on the three terms are 1, B/A, and C/A. Without the loss of generality, one can normalize the weights on the terms in the PCR so the weight on the expected loss, E[X], is equal to one. In that way, a decision maker who wants the PCR to equal the expected loss would set B = 0 and C = 0 in the equation defining PCR.

To illustrate the AHP method for determining the values of the weights, we consider a numerical example. Table 1 lists a pairwise comparison matrix of the three measures: expected loss, expected severe loss, and standard deviation of the loss. The pairwise comparison matrix is made up of columns 24 and rows 24 in the table. The final column lists the weights as determined by the eigenvector associated with the maximum eigenvalue for the pairwise comparison matrix in columns and rows 24 in the table (for more, see [1]).

In establishing this pairwise comparison matrix, the assumption in the example is that the expected loss (E[X]) and expected severe loss (E[X|X>=T]) are equally important criteria, both slightly more preferred than the standard-deviation-of-loss (s) criterion. The pairwise comparisons that represent this judgment are realized by setting a_{12} = 1, a_{21} = 1, a_{13} = 2, a_{23} = 2, a_{31} = 1/2, and a_{32} = 1/2. Further, the diagonal elements, a_{11}, a_{22}, and a_{33}, are set equal to 1, since a criterion is equally important as itself.

For a given decision maker for which AHP reveals these weightsA = 0.4, B = 0.4, and C = 0.2here is the value of the PCR for Proposal 1:

PCR (Proposal 1) = $4.5+[.4/.4] [$1.7M]+[.2/.4].[$2.872M]=$4.5M+$1.7M+$1.436M=$7.636M

### Evaluating Four Proposals

In order to demonstrate PCR use, assume that the CISO must select from among four equal cost proposals for enhancing an organization's information security. Suppose the CISO and his/her staff have estimated the loss probabilities associated with the three proposed sets of information security activities. The estimated loss probabilities associated with each proposal are broken down into the 10 discrete amounts in Table 2.

The approach of using the expected loss due to a breach as the ranking criterion gives the CISO a narrow analysis of the alternatives and may lead to misleading results.

We continue to assume that the threshold level, T, of a severe loss is $8 million. Table 3 lists the values of the three risk measures for each of the three proposals; it also lists the value of the PCR for each proposal, assuming that A = 0.4, B = 0.4, and C = 0.2.

Some problems with using the popular metric of expected loss as a sole measure of risk are apparent by examining Tables 2 and 3. According to the expected loss metric, Proposal 3 is the preferred proposal, followed in order by Proposal 1, Proposal 2, and Proposal 4. Note that although Proposal 3 minimizes the expected loss, it also generates the second highest probability of threatening the survivability of the organization (Pr [X>=8]=0.4) and generates the highest standard deviation of loss.

Table 3 also indicates that based on the expected severe loss criterion, Proposal 2 is the preferred proposal, followed in order by Proposal 1, Proposal 3, and Proposal 4. Further, based on the standard deviation criterion, Proposal 4 is the preferred proposal, followed in order by Proposal 2, Proposal 1, and Proposal 3. Thus, a decision maker interested in minimizing the risk of a breach could rationally select Proposal 2, Proposal 3, or Proposal 4, depending on the risk metric being considered.

The PCR combines the three risk measures through a procedure that determines the decision maker's relative weighting of the risk criteria. The weights are decision-maker dependent, so the rankings based on the PCR are likely to vary from person to person. With the values of A, B, and C given by 0.4, 0.4, and 0.2, respectively, Proposal 1 is preferred to Proposal 2, which in turn is preferred to Proposal 3, which is preferred to Proposal 4. It is interesting to note that Proposal 1 has the smallest value of the PCR, even though it did not dominate any individual metric. However, if the decision maker's weights were A = 0.1, B = 0.2, and C = 0.7, then based on the PCR, Proposal 4 is preferred to Proposal 2, which is preferred to Proposal 1, which is preferred to Proposal 3.^{4}

The approach of using the expected loss due to a breach as the ranking criterion gives the CISO a narrow analysis of the alternatives and may lead to misleading results. Examining these other risk measures helps determine the best proposal for implementation. Although we formed the PCR as a linear combination of expected loss, expected severe loss, and standard deviation of loss, the method of forming a single PCR type of metric from a set of criteria is a general methodology. The decision maker can use any set of criteria to form a PCR type of metric and the AHP to determine the weighting factors. In that way, no matter what aspects of risk a decision maker wishes to consider, a PCR type of metric can serve as a powerful decision-making tool.

Popular risk metrics (such as expected loss from a breach and the standard deviation of a loss from a breach) capture only narrow aspects of risk.

### Conclusion

Anyone responsible for information security must be able to manage risk. However, the initial step in such managementdefining riskis far from easy. Popular risk metrics (such as expected loss from a breach and the standard deviation of a loss from a breach) capture only narrow aspects of risk. Here, we've introduced a new metricthe PCRto evaluate investment proposals for enhanced information security and recommended using AHP to determine the weights in the PCR. The PCR gives the user powerful new tools for analyzing proposals for enhancing an organization's information security system. This analysis complements [1], which detailed how to spend an information-security budget, taking into account both financial and nonfinancial aspects of proposed information security projects.

### References

1. Bodin, L., Gordon, L., and Loeb, M. Evaluating information security investments using the analytic hierarchy. *Commun. ACM 48,* 2 (Feb. 2005), 461485.

2. Gordon, L. and Loeb, M. Budgeting process for information security expenditures: Empirical evidence. *Commun. ACM 49,* 1 (Jan. 2006), 121125.

3. Gordon, L. and Loeb, M. *Managing Cybersecurity Resources: A Cost-Benefit Analysis.* McGraw-Hill, New York, 2006.

4. Gordon, L., Loeb, M., and Lucyshyn, W. Sharing information on computer systems: An economic analysis. *Journal of Accounting and Public Policy 22,* 6 (Nov.-Dec. 2003), 461485.

5. Gordon, L., Loeb, M., and Sohail, T. A framework for using insurance for cyber risk management. *Commun. ACM 46,* 3 (Mar. 2003), 8185.

6. Gordon, L. and Loeb, M. The economics of investment in information security. *ACM Transactions on Information and System Security 5,* 4 (Nov. 2002), 438457.

7. Gordon, L. and Loeb, M. A framework for using information security as a response to competitor analysis systems. *Commun. ACM 44,* 9 (Sept. 2001), 7075.

8. Saaty, T. *The Analytic Hierarchy Process.* McGraw-Hill, New York, 1980.

### Footnotes

DOI: http://doi.acm.org/10.1145/1330311.1330325

^{1}See [5] for a framework for cyber risk management that incorporates insurance.

^{2}For more on the allocation of resources in information security, see [2, 4].

^{3}We assume loss is a discrete random variable.

^{4}In this case, PCR(Proposal 4)=$21.227 million, PCR(Proposal 2)=$22.330 million, PCR(Proposal 1)=$28.006 million, and PCR(Proposal 3)=$39.548 million.

### Figures

Figure. Calculation of expected loss, expected severe loss, and standard deviation of loss in Proposal 1.

### Tables

Table 1. Pairwise comparison matrix and weights for the example.

Table 2. Probability of losses under three information security project proposals.

Table 3. Risk measures for the three proposals (where T=8, A=0.4, B=0.4, and C=0.2.

**©2008 ACM 0001-0782/08/0400 $5.00**

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.