The cybersecurity risk estimation engine: A tool for possibility based risk analysis

Despite dramatic changes in the constellation of cybersecurity risks, the basic approach to risk calculation has been anchored to probability theory. The probability approach is widely known and conceptually simple. But it is disadvantageous in its grounding on expert estimates of frequency data which is often publicly unavailable. This study proposes the use of possibility theory as a complementary grounding for cybersecurity risk calculations. Using a design science research approach, we use possibility theory as the kernel theory in developing and evaluating a practical possibility-based risk estimation prototype. The results offer an expanded grounding to improve cybersecurity risk analysis.