1 Loss distribution

N Poiss: number of vulnerabilities found during assessment

v
i
?(continuous distr.): access to the asset given by the i
th
found vulnerability
L: loss
then:
L =
N

i=1
v
i
. (1)
We want to nd the probability distribution of L.
Since it is in general dicult or impossible to get an explicit analytical form for (1), we
aim to eciently approximate it with numerical techniques.
In order to simplify the derivation we introduce access bands. This means discretizing
the possible range of access in m groups.
New notation:
L: unit amount of access, expressed in a base currency
v
j
: common access granted by vulnerabilities in band j (expressed in unit of L)
L
V
j
= L v
j
: access granted by vulnerability V in band j
Now we can state:
Pr(aggregated losses in band j = l) = Pr(to discover n vulnerabilities)
with each vulnerability in band j providing access L
V
j
.
Therefore:
l = n L
V
j
= n v
j
L .
The probability generating function (PGF) for the single band j is then:
G
j
(z) =

n=0
Pr(aggr. loss = n v
j
L) z
nv
j
=

n=0
Pr(to discover n vulnerabilities) z
nv
j
.
Since the number N of discovered vulnerabilities is Poisson distribuited:
G
j
(z) =

n=0
e

j

n
j
n!
z
nv
j
,
where
j
is the expected number of vuln. found in band j and
j
is the expected loss
from band j (
j
= v
j

j
).
=
m

j=1

j
=
m

j=1

j
v
j
.
1
The PGF for a single band j can be rewritten as:
G
j
(z) = e

j
+
j
z
nv
j
.
Since each band is independent of the others, the general PGF for the losses is:
G(z) =
m

j=1
G
j
(z) =
m

j=1
e

j
+
j
z
nv
j
= e

m
j=1

j
+

m
j=1

j
z
nv
j
.
Remark: G(z) depends only on v
j
and
j
, to characterize it are needed:
- the knowledge of dierent possible sizes of access v
j
to which the security system
is vulnerable,
- knowlege about expected losses arising from each access size.
Now dene A
n
:= Pr(loss from an attack = L n), where an attack includes all the
vulnerability discovered. One has:
A
n
=

j:v
j
n

j
n
A
nv
j
, j = 1 : m , (2)
where the derivation follows what done for the Credit-Risk+ model.
Problems
1. Is the Gamma distr. a good choice for the distr. of for the access v granted by a
single vulnerability?
2. How to discretize the continuous distribution for v?
3. The sum in (2) goes up to index m. Is m a random variable or is it xed a-priori?
4. Is it possible to obtain the needed knowledge about v
j
and
j
from data and/or
expert judgement?
5. How to eciently compute (2)?
6. How to introduce the dependence N = N(t) of the number N of discoverd vulner-
abilities to the realization of the exponential random variable time t spent in the
assessment phase?
2