Weiß, SteffenMeyer-Wegener, KlausAlkassar, AmmarSiekmann, Jörg2019-04-032019-04-032008978-3-88579-222-2https://dl.gi.de/handle/20.500.12116/21498Awareness of security has risen during the last years. As a result, the question of adequate protection against security risks increased, too. Management wants to decide whether and how to invest in this protection. As a result, quantitative statements about information-security risks are needed. Existing approaches in this domain either rely on guessed data or do not answer the question in a quantitative way. We think that this is due to the fact that no approach separates information that can be provided by a central organization (e.g. known attacks, available controls, and a control’s probability of protection) from information which must be provided individually (e.g. the controls installed). We have developed an approach that employs this separation and allows quantitative assessment of security with the help of a model. This model is presented here with a special look at the separation.enText/Conference Paper1617-5468