“…As risk management models, we mention, the Single Loss Expectancy (SLE) [6], the Mean Failure Cost (MFC) [1,7] The Bayesian Defense Graphs and Architectural Models [14], the Availability, Integrity, Confidentiality and Authentication (AICA), the improving web application security model (IWAS) and AURUM [5] Ideally, information security will be enhanced by quantitative risk analyses [12,13] in different cases, it is difficult to exclude the risk but it can be reduced, then the assessment result is useful for future business decisions [18]. However, quantifying security is a hard task and it is harder when the related system is complex [21].…”