Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics

Known vulnerabilities which have been discovered but not patched represents a security risk which can lead to considerable financial damage or loss of reputation. They include vulnerabilities that have either no patches available or for which patches are applied after some delay. Exploitation is even possible before public disclosure of a vulnerability. This paper formally defines risk measures and examines possible approaches for assessing risk using actual data. We explore the use of CVSS vulnerability metrics which are publically available and are being used for ranking vulnerabilities. Then, a general stochastic risk evaluation approach is proposed which considers the vulnerability lifecycle starting with discovery. A conditional risk measure and assessment approach is also presented when only known vulnerabilities are considered. The proposed approach bridges formal risk theory with industrial approaches currently being used, allowing IT risk assessment in an organization, and a comparison of potential alternatives for optimizing remediation. These actual data driven methods will assist managers with software selection and patch application decisions in quantitative manner.

[1]  Yashwant K. Malaiya,et al.  Analysis of an Important Class of Non-Markov Systems , 1982, IEEE Transactions on Reliability.

[2]  Nikolaos Limnios,et al.  Semi-Markov Chains and Hidden Semi-Markov Models toward Applications: Their Use in Reliability and DNA Analysis , 2008 .

[3]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..

[4]  Guido Schryen,et al.  Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities , 2009, AMCIS.

[5]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[6]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[7]  Risk Analysis and Management for Critical Asset Protection (RAMCAP Plus) , 2010 .

[8]  Carol Alexander Market risk analysis I: quantitative methods in finance , 2008 .

[9]  Frank Gens,et al.  Cloud Computing Benefits, risks and recommendations for information security , 2010 .

[10]  Roger Van Scoy,et al.  Software Development Risk: Opportunity, Not Problem , 1992 .

[11]  Juan E. Gilbert,et al.  Quantitative software security risk assessment model , 2007, QoP '07.

[12]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[13]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[14]  Lerina Aversano,et al.  The life and death of statically detected vulnerabilities: An empirical study , 2009, Inf. Softw. Technol..

[15]  Siv Hilde Houmb,et al.  Estimating ToE Risk Level Using CVSS , 2009, 2009 International Conference on Availability, Reliability and Security.

[16]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[17]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[18]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[19]  Yashwant K. Malaiya,et al.  A Framework for Software Security Risk Evaluation using the Vulnerability Lifecycle and CVSS Metrics , 2010 .

[20]  Elias Levy,et al.  Approaching Zero , 2004, IEEE Secur. Priv..

[21]  Stefan Frei,et al.  Security econometrics: The dynamics of (in)security , 2009 .