Disclaimer: I originally wrote the following text as a post to a mailing list in 2005, but it still seems applicable today.
The more I read the writings of various information security professionals about information security risk analysis (ISRA), the more I’m struck by the following observation: decision theory provides the foundation for risk management (which, in turn, is arguably the foundation for information security) and yet the vast majority of sources of information and professional training on information security are silent on the topic. Consider the following examples of statements an information security professional may make in their career.
1. A firewall administrator argues there is a significant risk that passwords will be compromised if transmitted as cleartext over the Internet, since the passwords will go through untrusted computer systems and an eavesdropper could learn the password.
2. An auditor proposes implementing a security awareness training program, since security awareness training decreases the risk of a variety of security incidents.
3. A security manager recommends patching old software, since there are security vulnerabilities in the old software and since exploit code for those vulnerabilities is publicly available.
In each example, there is clearly an appeal to probability. In the first example, the firewall administrator argues there is a non-negligible probability that an unencrypted password sent over the Internet could be compromised. In the second example, the auditor argues there is a high probability that a security awareness training program would decrease the probability of security incidents. And in the third example, the security manager argues there is a significant probability the system will be compromised.
While probably no one would deny that information security risk analysis is shot through with appeals to probability, virtually no one has attempted to analyze the concept of probability in such appeals in any sort of precise or rigorous way. Moreover, there is virtually no discussion of probability or inductive logic in training for information security professionals. It is little surprise, then, that there is so much confusion and misinformation among information security professionals regarding the role of probability and inductive
logic in information security.