Assessing the risk of using vulnerable components

This paper discusses how information about the architecture and the vulnerabilities affecting a distributed system can be used to quantitatively assess the risk to which the system is exposed. Our approach to risk evaluation can be used to assess how much one should believe in system trustworthiness and to compare different solutions, providing a tool for deciding if the additional cost of a more secure component is worth to be afforded.

[1]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[2]  Francesco Parisi-Presicce,et al.  Risky trust: risk-based analysis of software systems , 2005, SOEN.

[3]  Shamkant B. Navathe,et al.  Managing vulnerabilities of information systems to security incidents , 2003, ICEC '03.

[4]  Gautam Biswas,et al.  Applications of qualitative modeling to knowledge-based risk assessment studies , 1989, IEA/AIE '89.

[5]  Mehmet Sahinoglu,et al.  Security meter: a practical decision-tree model to quantify risk , 2005, IEEE Security & Privacy Magazine.

[6]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[7]  Khaled M. Khan,et al.  A framework for an active interface to characterise compositional security contracts of software components , 2001, Proceedings 2001 Australian Software Engineering Conference.

[8]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[9]  M. Elisabeth Paté-Cornell,et al.  Fault Trees vs. Event Trees in Reliability Analysis , 1984 .

[10]  Ira S. Moskowitz,et al.  An insecurity flow model , 1998, NSPW '97.

[11]  Francesco Parisi-Presicce,et al.  Risky trust: risk-based analysis of software systems , 2005, SESS@ICSE.

[12]  Paul J. Deitel,et al.  Web Services A Technical Introduction , 2002 .

[13]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[14]  Shelby Evans,et al.  Risk-based Systems Security Engineering: Stopping Attacks with Intention , 2004, IEEE Secur. Priv..