Decision Theory is the Foundation for Information Security Risk Management

Disclaimer: I originally wrote the following text as a post to a mailing list in 2005, but it still seems applicable today.

The more I read the writings of various information security professionals about information security risk analysis (ISRA), the more I’m struck by the following observation: decision theory provides the foundation for risk management (which, in turn, is arguably the foundation for information security) and yet the vast majority of sources of information and professional training on information security are silent on the topic. Consider the following examples of statements an information security professional may make in their career.

1. A firewall administrator argues there is a significant risk that passwords will be compromised if transmitted as cleartext over the Internet, since the passwords will go through untrusted computer systems and an eavesdropper could learn the password.

2. An auditor proposes implementing a security awareness training program, since security awareness training decreases the risk of a variety of security incidents.

3. A security manager recommends patching old software, since there are security vulnerabilities in the old software and since exploit code for those vulnerabilities is publicly available.

In each example, there is clearly an appeal to probability. In the first example, the firewall administrator argues there is a non-negligible probability that an unencrypted password sent over the Internet could be compromised. In the second example, the auditor argues there is a high probability that a security awareness training program would decrease the probability of security incidents. And in the third example, the security manager argues there is a significant probability the system will be compromised.

While probably no one would deny that information security risk analysis is shot through with appeals to probability, virtually no one has attempted to analyze the concept of probability in such appeals in any sort of precise or rigorous way. Moreover, there is virtually no discussion of probability or inductive logic in training for information security professionals. It is little surprise, then, that there is so much confusion and misinformation among information security professionals regarding the role of probability and inductive
logic in information security.


  1. Jack Aug 20, 2010 at 12:03 pm | Permalink

    Hello Jeff!

    You’re appeal to the Decision Sciences in support of InfoSec risk is very well founded, even if not altogether vanguard.

    You may want to explore the FAIR risk assessment methodology:

    While FAIR does not purport precision (I’d argue no one could really), it does allow for accurate and rigorous decision making.

  2. Security Consultants Oct 22, 2011 at 1:15 am | Permalink

    In my opinion Risk management is a process of thinking systematically about all possible risks, problems or disasters before they happen and setting up procedures that will avoid the risk, minimize its impact, or cope with its impact. It is setting up a process where you can identify the risk and set up a strategy to control or deal with it.

Post a Comment

Your email is never published nor shared. Required fields are marked *