Estimating ToE Risk Level Using CVSS

Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.

[1]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[2]  Maxwell G. Dondo,et al.  A Vulnerability Prioritization System Using A Fuzzy Risk Analysis Approach , 2008, SEC.

[3]  Bharat B. Madan,et al.  Modeling and quantification of security attributes of software systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[4]  Jan Jürjens,et al.  Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[5]  Yue Chen,et al.  Stakeholder Value Driven Threat Modeling for Off the Shelf Based Systems , 2007, 29th International Conference on Software Engineering (ICSE'07 Companion).

[6]  Jan Jürjens,et al.  An Integrated Security Verification and Security Solution Design Trade-Off Analysis Approach , 2008 .

[7]  David Wright,et al.  Towards Operational Measures of Computer Security: Concepts , 1995 .

[8]  Kishor S. Trivedi,et al.  Security analysis of SITAR intrusion tolerance system , 2003, SSRS '03.

[9]  John Eargle,et al.  Business Component-Based Software Engineering , 2002 .

[10]  Yue Chen,et al.  Measuring Security Investment Benefit for Off the Shelf Software Systems - A Stakeholder Value Driven Approach , 2007, WEIS.

[11]  Siv Hilde Houmb,et al.  Estimating Impact and Frequency of Risks to Safety and Mission Critical Systems Using CVSS , 2008 .

[12]  D. Vose Risk Analysis: A Quantitative Guide , 2000 .

[13]  Barry Boehm,et al.  Measuring Security Investment Benefit for Off the Shelf Software Systems-A Stakeholder Value Driven Approach , 2007 .

[14]  Tomas Olovsson,et al.  On the Integration of Security and Dependability in Computer Systems , 1992 .

[15]  S. H. Houmb,et al.  Modeling System Integrity Of A Security CriticalSystem Using Colored Petri Nets , 2005 .

[16]  Siv Hilde Houmb,et al.  Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD)Framework , 2007 .

[17]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[18]  Finn Verner Jensen,et al.  Introduction to Bayesian Networks , 2008, Innovations in Bayesian Networks.

[19]  Geri Georg,et al.  Predicting Availability of Systems using BBN in Aspect-Oriented Risk-Driven Development (AORDD) , 2005 .