{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:19:29Z","timestamp":1754158769575,"version":"3.41.2"},"reference-count":31,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2017,7,10]],"date-time":"2017-07-10T00:00:00Z","timestamp":1499644800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,7,10]]},"abstract":"\nPurpose<\/jats:title>\nThis study aims to argue that in the case of quantitative security risk assessment, individuals do not estimate probabilities as a likelihood measure of event occurrence.<\/jats:p>\n<\/jats:sec>\n\nDesign\/methodology\/approach<\/jats:title>\nThe study uses the most commonly used quantitative assessment approach, the annualized loss expectancy (ALE), to support the three research hypotheses.<\/jats:p>\n<\/jats:sec>\n\nFindings<\/jats:title>\nThe estimated probabilities used in quantitative models are subjective.<\/jats:p>\n<\/jats:sec>\n\nResearch limitations\/implications<\/jats:title>\nThe ALE model used in security risk assessment, although it is presented in the literature as quantitative, is, in fact, qualitative being influenced by bias.<\/jats:p>\n<\/jats:sec>\n\nPractical implications<\/jats:title>\nThe study provides a factual basis showing that quantitative assessment is neither realistic nor practical to the real world.<\/jats:p>\n<\/jats:sec>\n\nOriginality\/value<\/jats:title>\nA model that cannot be tested experimentally is not a scientific model. In fact, the probability used in ISRM is an empirical probability or estimator of a probability because it estimates probabilities from experience and observation.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-07-2016-0055","type":"journal-article","created":{"date-parts":[[2017,5,24]],"date-time":"2017-05-24T19:18:11Z","timestamp":1495653491000},"page":"345-354","source":"Crossref","is-referenced-by-count":4,"title":["Running the risk IT \u2013 more perception and less probabilities in uncertain systems"],"prefix":"10.1108","volume":"25","author":[{"given":"Adrian","family":"Munteanu","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020120619213846500_ref001","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1016\/j.ress.2011.11.006","article-title":"The risk concept-historical and recent development trends","volume":"99","year":"2012","journal-title":"Reliability Engineering and System Safety"},{"issue":"4","key":"key2020120619213846500_ref002","article-title":"Towards a standard approach for quantifying an ICT security investment","volume":"30","year":"2008","journal-title":"Computer Standards & Interfaces"},{"key":"key2020120619213846500_ref003","unstructured":"ENISA (2012), \u201cIntroduction to return on security investment helping CERTs assessing the cost of (lack of) security\u201d, available at: www.enisa.europa.eu\/activities\/cert\/other-work\/introduction-to-return-on-security-investment\/at_download\/fullReport"},{"key":"key2020120619213846500_ref004","unstructured":"FIPS (1974), Archived FIPS Publications, available at: http:\/\/csrc.nist.gov\/publications\/PubsFIPSArch.html"},{"volume-title":"Managing Risk in Information Systems","year":"2014","key":"key2020120619213846500_ref005"},{"key":"key2020120619213846500_ref006","unstructured":"Godin, D. (2013), \u201cYou\u2019re infected \u2013 if you want to see your data again, pay us $300 in Bitcoins, Ars Technica\u201d, available at: http:\/\/arstechnica.com\/security\/2013\/10\/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins\/"},{"volume-title":"Thinking, Fast and Slow","year":"2011","key":"key2020120619213846500_ref007"},{"key":"key2020120619213846500_ref008","unstructured":"Keynes, J.M. (1921), \u201cA treatise on probability\u201d, available at: http:\/\/archive.org\/stream\/treatiseonprobab007528mbp#page\/n9\/mode\/2up"},{"volume-title":"Propagation of Uncertainty in Socio-Economic Systems, Cited in K. Ellis","year":"2013","key":"key2020120619213846500_ref009"},{"volume-title":"The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments","year":"2005","key":"key2020120619213846500_ref010"},{"edition":"2nd","volume-title":"Official (ISC)2 Guide to the CSSLP CBK","year":"2013","key":"key2020120619213846500_ref011"},{"year":"2008","key":"key2020120619213846500_ref012","article-title":"Information systems security risk assessment: harmonization with international accounting standards"},{"key":"key2020120619213846500_ref013","doi-asserted-by":"publisher","first-page":"324","DOI":"10.1057\/ejis.2008.31","article-title":"Measuring research quality: the united kingdom government\u2019s research assessment exercise","volume":"7","year":"2008","journal-title":"European Journal of Information Systems"},{"volume-title":"The Logic of Scientific Discovery","year":"1980","key":"key2020120619213846500_ref014"},{"key":"key2020120619213846500_ref015","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/j.cose.2015.11.001","article-title":"Taxonomy of information security risk assessment (ISRA)","volume":"57","year":"2016","journal-title":"Computer & Security"},{"volume-title":"The Perception of Risk, cited in Kahneman D \u2013 Thinking Fast and Slow","year":"2011","key":"key2020120619213846500_ref016"},{"volume-title":"Quantitative Risk Analysis Step-By-Step","year":"2002","key":"key2020120619213846500_ref017"},{"issue":"4\/6","key":"key2020120619213846500_ref018","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1080\/19393555.2015.1092620","article-title":"Potential problems with information security risk assessments","volume":"24","year":"2015","journal-title":"Information Security Journal: A Global Perspective"},{"issue":"4157","key":"key2020120619213846500_ref019","article-title":"Judgment under uncertainty: Heuristics and biases","volume":"185","year":"1974","journal-title":"Science, New Series"},{"year":"2009","key":"key2020120619213846500_ref020","article-title":"Quantified security is a weak hypothesis: a critical survey of results and assumptions"},{"issue":"1","key":"key2020120619213846500_ref021","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1016\/j.cose.2004.11.002","article-title":"Management of risk in the information age","volume":"24","year":"2005","journal-title":"Computers & Security"},{"volume-title":"Critical Issues in Systems Theory and Practice","year":"2013","key":"key2020120619213846500_ref022"},{"issue":"3","key":"key2020120619213846500_ref023","article-title":"Toward risk assessment of large-impact and rare events","volume":"8","year":"2010","journal-title":"IEEE Security and Privacy"},{"issue":"1","key":"key2020120619213846500_ref024","article-title":"Addressing information risk in turbulent times","volume":"9","year":"2011","journal-title":"IEEE Security and Privacy"},{"issue":"2","key":"key2020120619213846500_ref025","article-title":"ISRAM: information security risk analysis method","volume":"24","year":"2005","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120619213846500_ref026","article-title":"Unrealistic optimism on information security, management","volume":"31","year":"2012","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120619213846500_ref027","article-title":"Risk as analysis and risk as feelings: some thoughts about affect, reason, risk, and rationality","volume":"24","year":"2004","journal-title":"Risk Analysis"},{"key":"key2020120619213846500_ref028","first-page":"100","article-title":"The information systems\u2019 security level assessment model based on an ontology and evidential reasoning approach","volume":"55","year":"2004","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120619213846500_ref029","article-title":"The economic approach of information security","volume":"24","year":"2005","journal-title":"Computers & Security"},{"key":"key2020120619213846500_ref030","unstructured":"Von Hayek, F.A. (2014), \u201cPrize lecture: the pretense of knowledge\u201d, available at: www.nobelprize.org\/nobel_prizes\/economic-sciences\/laureates\/1974\/hayek-lecture.html (3 February 2016)."},{"key":"key2020120619213846500_ref031","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2014.04.005","article-title":"A situation awareness model for information security risk management","volume":"44","year":"2014","journal-title":"Computers & Security"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2016-0055\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2016-0055\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:02Z","timestamp":1753406582000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/3\/345-354\/105956"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,10]]},"references-count":31,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,7,10]]}},"alternative-id":["10.1108\/ICS-07-2016-0055"],"URL":"https:\/\/doi.org\/10.1108\/ics-07-2016-0055","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2017,7,10]]}}}