%0 Conference Proceedings
%T How to Estimate a Technical VaR Using Conditional Probability, Attack Trees and a Crime Function
%+ Technische Universität Darmstadt - Technical University of Darmstadt (TU Darmstadt)
%A Boehmer, Wolfgang
%Z Part 2: Security Engineering
%< avec comité de lecture
%( Lecture Notes in Computer Science
%B 1st Cross-Domain Conference and Workshop on Availability, Reliability, and Security in Information Systems (CD-ARES)
%C Regensburg, Germany
%Y Alfredo Cuzzocrea
%Y Christian Kittl
%Y Dimitris E. Simos
%Y Edgar Weippl
%Y Lida Xu
%I Springer
%3 Security Engineering and Intelligence Informatics
%V LNCS-8128
%P 288-304
%8 2013-09-02
%D 2013
%K Conditional probability
%K Bayes theorem
%K attack trees
%K threat actor
%K crime function
%K risk scenario technology
%Z Computer Science [cs]
%Z Humanities and Social Sciences/Library and information sciencesConference papers
%X According to the Basel II Accord for banks and Solvency II for the insurance industry, not only should the market and financial risks for the institutions be determined, also the operational risks (opRisk). In recent decades, Value at Risk (VaR) has prevailed for market and financial risks as a basis for assessing the present risks. Occasionally, there are suggestions as to how the VaR is to be determined in the field of operational risk. However, existing proposals can only be applied to an IT infrastructure to a certain extent, or to parts of them e.g. such as VoIP telephony. In this article, a proposal is discussed to calculate a technical Value at Risk (t-VaR). This proposal is based on risk scenario technology and uses the conditional probability of the Bayes theorem. The vulnerabilities have been determined empirically for an insurance company in 2012. To determine the threats, attack trees and threat actors are used. The attack trees are weighted by a function that is called the criminal energy. To verify this approach the t-VaR was calculated for VoIP telephony for an insurance company. It turns out that this method achieves good and sufficient results for the IT infrastructure as an effective method to meet the Solvency II’s requirements.
%G English
%2 https://inria.hal.science/hal-01506570/document
%2 https://inria.hal.science/hal-01506570/file/978-3-642-40588-4_20_Chapter.pdf
%L hal-01506570
%U https://inria.hal.science/hal-01506570
%~ SHS
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-TC
%~ IFIP-TC5
%~ IFIP-WG
%~ IFIP-TC8
%~ IFIP-CD-ARES
%~ IFIP-WG8-4
%~ IFIP-WG8-9
%~ IFIP-LNCS-8128