A New Formula of Security Risk Analysis That Takes Risk Improvement Factor into Account

Risk analysis is the very first step for organizational information security, where a qualitative approach is a major methodology. Today, it is required that risk treatment is discussed also in terms of security investment. Considering that a security model can be represented as a set of risk formulas, we propose a new risk formula that can also rep- resent improvement factors of securitv. The resulting formula is R = e^C · A^αAV^αVT^αT, which includes the conventional multiplicative risk formula. We show how to calculate α´s by using the risk reduction matrix. As an available scenario, we propose that we use the formula as a perturbation to the conventional risk formula. We show an example scenario in which by using the conventional multiplicative risk formula and a risk reduction matrix for representing the risk improving factor, a risk value is re-calculated. Security investment can also be evaluated by using our formula. Moreover, we propose that α´s represent a factor of significance in decision making. Keywords: security, risk assessment, risk formula, security investment.