How Much Matter Probabilities in Information Security Quantitative Risk Assessment?

The starting point of this research essay is a critical review of two methods to conduct a quantitative analysis of information systems security risks: 1) Management of Risk: Guidance for Practitioners and 2) a cost model based on annual loss expectancy. We are focusing on these methods with a perspective that highlights the limits of both empiricism and the theoretical elements that underlie them. From an epistemological point of view we have considered the logical syntax of the two models, the semantics included in statements and the pragmatics of the scientific discourse: the use of models to demonstrate the risk assessment thesis, to solve the problems of risks in the human judgment versus mathematical calculus controversy. The major issues that we are discussing in this article imply various perspectives on scientific criteria, the choice among various theories and the structuring of problems proposed to be solved. We argue that the models that have been developed so far, the top-down approach (which involves well defined and well understood rules), as well as the demonstrations based on the induction method, cannot be applied in a lot of scenarios, because information systems, considered as a complex whole made up of various components, is primarily not a positivistic science solely described by mathematics. The main research question to be answered in this paper is: What are the limits of knowledge in probabilistic computations for information systems security risk assessment? Our purpose is to demonstrate the epistemological limits of the two models and the error of generalizing probability calculus using the interpretive approach.