A Move in the Security Measurement Stalemate: Elo-Style Ratings to Quantify Vulnerability

Wolter Pieters, Sanne H.G. van der Ven, Christian W. Probst

    Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review


    One of the big problems of risk assessment in information security is the quantification of risk-related properties, such as vulnerability. Vulnerability expresses the likelihood that a threat agent acting against an asset will cause impact, for example, the likelihood that an attacker will be able to crack a password or break into a system. This likelihood depends on the capabilities of the threat agent and the strength of the controls in place. In this paper, we provide a framework for estimating these three variables based on the Elo rating used for chess players. This framework re-interprets security from the field of Item Response Theory. By observing the success of threat agents against assets, one can rate the strength of threats and controls, and predict the vulnerability of systems to particular threats. The application of Item Response Theory to the field of risk is new, but analogous to its application to children solving math problems. It provides an innovative and sound way to quantify vulnerability in models of (information) security.
    Original languageEnglish
    Title of host publicationProceedings of the 2012 workshop on New security paradigms
    PublisherAssociation for Computing Machinery
    Publication date2012
    ISBN (Print)978-1-4503-1794-8
    Publication statusPublished - 2012
    EventNew Security Paradigms Workshop (NSPW 2012) - Bertinoro, Italy
    Duration: 19 Sept 201221 Sept 2012


    WorkshopNew Security Paradigms Workshop (NSPW 2012)
    Internet address


    Dive into the research topics of 'A Move in the Security Measurement Stalemate: Elo-Style Ratings to Quantify Vulnerability'. Together they form a unique fingerprint.

    Cite this