Redefining Information Systems Risk for Automated Severity Risk Assessment

Hicks, Chelsea E.
Journal Title
Journal ISSN
Volume Title

Risk assessments are a critical process needed for organizations, especially from the information technology perspective. Organizations are now interconnected to the internet, leaving them vulnerable to malicious actors. As a result, there is a constant struggle between malicious actors attempting to infiltrate an organization, and organizations defending against these attacks. it is critical for organizations to know what information technology systems are at highest risk of being successfully attacked. However, risk assessments are traditionally a time-consuming process, with a high reliance on subject matter experts. This slows down the risk assessment process, and also limits the quality of risk assessments available to small to medium sized businesses. This research provides a new calculation of risk which allows it to be calculated automatically without the reliance of subject matter experts. We tested our new calculation by comparing it to 19 subject matter expert's responses, then tested the validity and objectivity via a deep learning neural network. Our results show that while our proposed calculation of risk does not perform as well as experts, and the results can be difficult to understand due to a lack of scale, there exists promising results. Our risk calculations can guess the risk score within 50% of the expert's scoring for about half of the cases. Additionally, our calculation uses only open standards and easily collected data, making implementation and improvement feasible for both practitioners and academia.

This item is available only to currently enrolled UTSA students, faculty or staff.
automated, objective, risk assessment, severity, standard, subject matter expert
Information Systems and Cyber Security