Possible risks analysis engine: A prototype tool for managing IT security safeguards acquisition

Risk analysis provides a cost-benefit analysis of information security controls and safeguards in economic terms. Despite serious flaws in its fundamentals, approaches to calculating risk have changed little over the past decades. The publicly available frequency data that does exist is generally incompatible and unusable. Theories of mathematical evidence indicate that probability theory is inappropriate where frequency data is unavailable. While alternative theoretical frameworks have been suggested, practical vehicles for the use of such frameworks have yet to materialize. This paper reports on design science research that employs fuzzy sets and possibility theory as kernel theories to develop and demonstrate a prototype of such a practical vehicle. This vehicle opens avenues for testing and operating risk analysis methodologies based on alternative mathematical theories of evidence.