Date Added: Nov 2009
After the information security audit, the auditor commonly points out the importance of information assets, the vulnerability of the audited information system, and the need of countermeasures. On such an occasion, the audited often ask the auditor for the quantitative assessment of the risk so that they can take specific measures. Nevertheless, in reality, the auditor can hardly meet this requirement because they do not have any appropriate methods to assess the risk quantitatively and systematically. Therefore, this paper proposes the approach that makes it possible to identify the scenarios of information security accidents systematically, to assess the risk of the occurrence of the scenario quantitatively, and to point out the importance of taking countermeasures by incorporating probabilistic risk assessment in information security audit.