Use this URL to cite or link to this record in EThOS:
Title: Application of a financial quantitative risk model to information security risk assessment
Author: Pan, Liuxuan
ISNI:       0000 0004 8500 1626
Awarding Body: Royal Holloway, University of London
Current Institution: Royal Holloway, University of London
Date of Award: 2018
Availability of Full Text:
Access from EThOS:
Access from Institution:
ISRA has its roots in documents like the Orange Book and the Anderson Report. Even recent standards such as the ISO 27000 series make assumptions similar to those made in this early work. With the advent of globalisation, cloud computing and BYOD, the assumptions made by the early guidelines on risk assessment no longer hold. For example, for many organisations it may be impossible even to identify assets far less calculate associated risk. This thesis argues that a new approach to risk assessment is needed and presents an alternative based on financial models. Instead of taking a bottom up approach, we apply the theory of 'value at risk' to provide a macroscopic view of the risk to an organisation based on the potential financial loss due to a cyber attack. We present a thorough and systematic review of ISRA research and provide a taxonomy of approaches to the problem. Since knowledge of the probability distribution of attacks is necessary to build the VaR model, we use data provided by Spamhaus in an attempt to identify the distribution of attacks by malware. Our findings show that the feature of non-uniformity distribution of malware attacks in 24 hours. This work also demonstrated a novel approach to malware analysis using circular statistics and presented results of analysis using rose and helix diagrams. Based on these findings we constructed a novel 'Malware' VaR model to estimate the worst case financial loss due to malware based data exfiltration from an organisation.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available
Keywords: Information Security Risk Assessment ; Financial Risk Model ; Value at Risk ; Malware