Security risk analysis has been paid much attention due to its implication for information protection. For risk analysis, we should evaluate SV, ARO and EF. By statistical data, it is feasible to evaluate SV and ARO.
However Evaluation EF is difficult to perform even though it is a critical item for the assessment. In this paper, we propose a system-based model for evaluating EF in quantitative risk analysis