Date Added: Aug 2009
The information security risk assessment is investigated from perspectives of most advanced Probabilistic Risk Assessment (PRA) for nuclear power plants. Accident scenario enumeration by initiating events, mitigation systems and event trees are first described and demonstrated. Assets, confidentiality, integrity, availability, threats, vulnerabilities, impacts, likelihoods, and safeguards are reformulated by the PRA. Two illustrative examples are given: network access attacker and physical access attacker. Defenseless time spans and their frequencies are introduced to cope with non-rare initiating events of information security problems. A common event tree structure may apply to variety of security problems, thus facilitating the risk assessment.