Sources of security risk information: What do professionals rely on for their risk assessment?
本研究调查了物理和网络安全专业人士在风险评估中使用的信息来源,评估了这些来源的质量和可信度,并分析了实际使用情况。结果显示专家意见最受信赖,个人经验次之,而科学信息因来源意图问题使用较少。
Security risks, such as sabotage and cyberattacks, are an increasing threat to business and government processes. They originate from malicious human action, of which often exact historical information is lacking. Thus, the judgment and assessment of security professionals is the primary input for security risk management, a subjective probabilistic approach. In this study, we explore the information sources professionals, in both the physical and cybersecurity domain, use for this purpose, improving understanding of their daily praxis. Sources of security risk information are collected, their quality and trustworthiness is assessed, and their use is analyzed. Quality is assessed by experienced security practitioners applying the NATO system for intelligence evaluation, with source intention as additional criterion. Actual use is analyzed among security professionals. The results consist of a comparative ranking of both assessed quality and daily use of sources. Experts are ranked first for perceived quality and are also most relied upon in daily praxis, and individual/personal experience comes second. The additional criterion of source intention explained the lower level of use of information from science. This study provides the basis for enhancing security risk management by a more conscious selection of sources.