Risky Business: Quantitative Risk Assessments as Enabling Devices in Cybersecurity
(2024) FLMU16 20232Division of Risk Management and Societal Safety
- Abstract
- Quantitative risk assessment (QRA) is a growing practice in the cybersecurity
field. This paper examines QRA the use in various industries and the problems with
its use. The focus of the qualitative research is to understand why cybersecurity
organizations might want to use QRA even if it produces untrue and potentially
problematic results. It draws from other bodies of work that view QRA as a type of
fantasy document and enabling device and posits that this could also be true within
cybersecurity organizations. Interviews with Chief Information Security Officers
(CISOs) and risk managers revealed that QRA clearly operates as an enabling device
by aiding in budget approval with executives. Interviewees valued QRA for the
... (More) - Quantitative risk assessment (QRA) is a growing practice in the cybersecurity
field. This paper examines QRA the use in various industries and the problems with
its use. The focus of the qualitative research is to understand why cybersecurity
organizations might want to use QRA even if it produces untrue and potentially
problematic results. It draws from other bodies of work that view QRA as a type of
fantasy document and enabling device and posits that this could also be true within
cybersecurity organizations. Interviews with Chief Information Security Officers
(CISOs) and risk managers revealed that QRA clearly operates as an enabling device
by aiding in budget approval with executives. Interviewees valued QRA for the
perception of objectivity that it gave to others, even while understanding
themselves that it was subjective. CISOs were more pragmatic about this tension,
while risk managers who were more involved in the creation of the QRAs were more
likely to want to have them continuously improved in the hope that they would
eventually represent an objective truth. Even though it is often touted as a value
of producing QRA, organizational learning was not an objective for any of the
interviewees, and the method of collecting data for their QRAs was not always
conducive to sharing information for broader learning. Overall, QRA clearly
functions as an enabling device for the cybersecurity professionals interviewed,
allowing them to advocate and receive crucial funding for cybersecurity projects. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/9148570
- author
- Alexander, Colette LU
- supervisor
- organization
- course
- FLMU16 20232
- year
- 2024
- type
- H1 - Master's Degree (One Year)
- subject
- keywords
- Quantitative risk assessment, cybersecurity, enabling device
- language
- English
- id
- 9148570
- date added to LUP
- 2024-02-15 07:53:01
- date last changed
- 2024-02-15 07:53:01
@misc{9148570,
abstract = {{Quantitative risk assessment (QRA) is a growing practice in the cybersecurity
field. This paper examines QRA the use in various industries and the problems with
its use. The focus of the qualitative research is to understand why cybersecurity
organizations might want to use QRA even if it produces untrue and potentially
problematic results. It draws from other bodies of work that view QRA as a type of
fantasy document and enabling device and posits that this could also be true within
cybersecurity organizations. Interviews with Chief Information Security Officers
(CISOs) and risk managers revealed that QRA clearly operates as an enabling device
by aiding in budget approval with executives. Interviewees valued QRA for the
perception of objectivity that it gave to others, even while understanding
themselves that it was subjective. CISOs were more pragmatic about this tension,
while risk managers who were more involved in the creation of the QRAs were more
likely to want to have them continuously improved in the hope that they would
eventually represent an objective truth. Even though it is often touted as a value
of producing QRA, organizational learning was not an objective for any of the
interviewees, and the method of collecting data for their QRAs was not always
conducive to sharing information for broader learning. Overall, QRA clearly
functions as an enabling device for the cybersecurity professionals interviewed,
allowing them to advocate and receive crucial funding for cybersecurity projects.}},
author = {{Alexander, Colette}},
language = {{eng}},
note = {{Student Paper}},
title = {{Risky Business: Quantitative Risk Assessments as Enabling Devices in Cybersecurity}},
year = {{2024}},
}