Risk variance: Towards a definition of varying outcomes of IT security risk assessment
Abstract
Assessing IT-security risks in order to achieve adequate and efficient protection measures has become the core idea of various industry practices and regulatory frameworks in the last five years. Some research however suggests that the practice of assessing IT security risks may be subject to varying outcomes depending on personal, situational and contextual factors. In this contribution we first provide a definition of risk variance as the variation of risk assessment outcomes due to individual traits, the processual environment, the domain of the assessor, and possibly the target of the assessed risk. We then present the outcome of an interview series with 9 decision makers from different companies that aimed at discussing whether risk variance is an issue in their risk assessment procedures. Finally, we elaborate on the generalizability of the concept of risk variance, despite the low sample size in light of varying risk assessment procedures discussed in the interviews. We find that risk variance could be a general problem of current risk assessment procedures.
| Dateien | Groesse | Format | Anzeige | |
|---|---|---|---|---|
| proceedings-08.pdf | 262.1Kb | View/ |
Sollte hier kein Volltext (PDF) verlinkt sein, dann kann es sein, dass dieser aus verschiedenen Gruenden (z.B. Lizenzen oder Copyright) nur in einer anderen Digital Library verfuegbar ist. Versuchen Sie in diesem Fall einen Zugriff ueber die verlinkte DOI: 10.18420/OID2022_08
Haben Sie fehlerhafte Angaben entdeckt? Sagen Sie uns Bescheid: Send Feedback
More Info
DOI: 10.18420/OID2022_08
ISBN: 978-3-88579-719-7
ISSN: 1617-5468
xmlui.MetaDataDisplay.field.date: 2022
Language: 
(en)
(en)
Content Type: Text/Conference Paper