Assessing Risk Estimations for Cyber-Security Using Expert Judgment

Michael Krisper*, Jürgen Dobaj, Georg Macher

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


In this paper, we show a use-case of structured expert judgment to assess the risk of a cyber-security attack. We showcase the process of elicitating unknown and uncertain values using multiple experts and combining these judgments by weighing the experts based on their performance. The performance of an expert is assessed using the information and calibration score calculated from the judgments of calibration questions. The judgments are stated with three-points estimates of minimum, most likely, and maximum value, which serve as input for the PERT probability distribution. For the use-case, the input values frequency, vulnerability, and impact were asked. The combined results are propagated along an attack path to calculate the risk of a cyber-security attack. This was done using RISKEE, a tool for assessing risk in cyber-security and implementing the combination of expert judgments and propagation of the values in an attack-tree. It uses an attack graph to model the attack paths and applies probability distributions for the input values to consider the uncertainty of predictions and expert judgments. We also describe experiences and lessons-learned for conducting an expert elicitation to acquire input values for estimating risks in cyber-security.
Original languageEnglish
Title of host publicationSystems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings
EditorsMurat Yilmaz, Paul Clarke, Jörg Niemann, Richard Messnarz
Number of pages15
ISBN (Print)9783030564407
Publication statusPublished - 9 Aug 2020
Event27th European Conference on Systems, Software and Services Process Improvement: EuroSPI 2020 - Düsseldorf, Hybrider Event, Düsseldorf, Germany
Duration: 9 Sept 202011 Sept 2020

Publication series

NameCommunications in Computer and Information Science
Volume1251 CCIS
ISSN (Print)1865-0929
ISSN (Electronic)1865-0937


Conference27th European Conference on Systems, Software and Services Process Improvement
Abbreviated titleEuroSPI 2020
CityHybrider Event, Düsseldorf
Internet address


  • Cyber-security
  • Expert elicitation
  • Expert judgment
  • Probabilistic methods
  • Risk assessment

ASJC Scopus subject areas

  • Computer Science(all)
  • Mathematics(all)
  • Safety, Risk, Reliability and Quality

Fields of Expertise

  • Information, Communication & Computing

Treatment code (Nähere Zuordnung)

  • Application


Dive into the research topics of 'Assessing Risk Estimations for Cyber-Security Using Expert Judgment'. Together they form a unique fingerprint.

Cite this