A Formal Attack Centric Framework Highlighting Expected Losses of an Information Security Breach

From the beginning of the different approaches for analyzing and assessing the information related risk affecting organization, the two factors deriving risk are the damages or losses incurred to the organization and the probability of occurring of those risk incidents. Many qualitative and quantitative models have been proposed to estimate the above two factors considering the asset centric and software centric approaches. This paper proposes an attack centric framework that considers approaches of an attacker and different characteristics of attack in computing the overall impact of attack which can then be used to effectively calculate the overall loss incurred to the organization in the event of successful attack. This framework cognate with the existing ones and steps forward with a new mathematical approach to estimate the cost of any type of loss incurred to the organization due to the information security breach. Also the framework considers the cost of implementing security as loss in the event of security measure failed in providing appropriate protection against the threats.