Reconciling Malicious and Accidental Risk in Cyber Security

Wolter Pieters
1, 2+, Zofia Lukszo3, Dina Hadžiosmanović1, and Jan van den Berg1

1TU Delft; Technology, Policy and Management; ICT; Delft, The Netherlands
{w.pieters, d.hadziosmanovic, j.vandenberg}


2University of Twente; EEMCS; Services, Cybersecurity and Safety; Enschede, The Netherlands


3TU Delft; Technology, Policy and Management; Energy & Industry; Delft, The Netherlands



Consider the question whether a cyber security investment is cost-effective. The result will depend on the expected frequency of attacks. Contrary to what is referred to as threat event frequencies or hazard rates in safety risk management, frequencies of targeted attacks are not independent from system design, due to the strategic behaviour of attackers. Although there are risk assessment methods that deal with strategic attackers, these do not provide expected frequencies as outputs, making it impossible to integrate those in existing (safety) risk management practices. To overcome this problem, we propose to extend the FAIR (Factor Analysis of Information Risk) framework to support malicious, targeted attacks. Our approach is based on (1) a clear separation of system vulnerability and environmental threat event frequencies, and (2) deriving threat event frequencies from attacker resources and attacker strategies rather than estimating them directly, drawing upon work in adversarial risk analysis. This approach constitutes an innovative way to quantify expected attack frequencies as a component of (information) security metrics for investment decisions.


Keywords: adversarial risk analysis, factor analysis of information risk, security metrics, threat event frequency


+: Corresponding author: Wolter Pieters
TU Delft, Faculty of Technology, Policy and Management, Section ICT, Building 31, Jaffalaan 5, 2628 BX Delft,
P.O. Box 5015, 2600 GA Delft, The Netherlands, Tel: +31-(0)15-27-88989, Web:


Journal of Internet Services and Information Security (JISIS), 4(2): 4-26, May  2014 [pdf]