Friday, November 10, 2017

Analyzing the Risks of Information Security Investments With Monte Carlo Simulations

By: Sam Farnan


James Conrad writes how he utilizes Monte Carlo software simulations to help quantify uncertainty that is so prevalent in cyber-security for businesses. The author details that these simulations can pay off incredibly well when compared to more conventional information-security models. Specifically, these models use "assumed" or "expected" values. The author writes "For example, an expert might estimate the particular frequency of an attack to be 2 intrusions per year. Could it be only 1? Perhaps. Could it be 4? Sure. Is 4 more probable than 1? Well yes. How about 100? No that would be unlikely. A Monte Carlo simulation enables an analyst to quantify the uncertainty in an expert's estimate by defining it as a probability distribution rather than just a single expected value".

The author also points out that the analyst is able to account for uncertainty in expert opinions as well when running these simulations. All of this will be displayed as a forecast range that is comprehensible to managers. Following the gathering of variables (ideally based on expert opinions) 
"the tool selects a random value for each parameter, executes the hosted security model with those
values, and collects the forecasted results from the model. Selection, execution and collection are repeated in many (often thousands of) iterations of the model. Commercial Monte-Carlo tools offer a capability to display the result of the simulation as a chart plotting the forecast’s distribution". 

The author highlights that these models are easier on experts providing the range of uncertainty instead of providing a singlue value which may or may not be a full representation of the chances of something, in this case a cyber attack, happening. He then concludes that these simulations are very useful for systems-level applications and the fact that uncertainty can be recognized and accounted for in these simulations. 


Although the author presents evidence that Monte Carlo simulations can account for uncertainty and provide a range instead of a value to the odds how many times something might happen, I feel this is article is highly technical in nature and is not suited for someone that does not already have experience utilizing Monte Carlo simulation software. 


  1. It appears that Monte Carlo simulation serves as a complementary method when used with Bayesian statistics given that the models in this study use "assumed" or "expected" values. It would be interesting to see Monte Carlo simulation used in conjunction with the Delphi method.

  2. One of the important advantages of Monte Carlo simulation is its ability to run numerous "what-if" scenarios and determine to a degree the likelihood a scenario will occur. On the flip side, because a scenario has a higher assumed probability, it does not necessarily mean it will occur.