G-RAM framework for software risk assessment and mitigation strategies in organisations

Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.,The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.,Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.,Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.,The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.,Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.

[1]  Andrew Meneely,et al.  Do bugs foreshadow vulnerabilities? An in-depth study of the chromium project , 2016, Empirical Software Engineering.

[2]  Chandrasekar Subramaniam,et al.  Information technology portfolio management implementation: a case study , 2016, J. Enterp. Inf. Manag..

[3]  Pavol Sokol,et al.  Prediction of Attacks Against Honeynet Based on Time Series Modeling , 2017 .

[4]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[5]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[6]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[7]  Richard E. Fairley,et al.  Risk management for software projects , 1994, IEEE Software.

[8]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[9]  Zhuhua Cai,et al.  Software Vulnerability Discovery Techniques: A Survey , 2012, 2012 Fourth International Conference on Multimedia Information Networking and Security.

[10]  Shouhuai Xu,et al.  A Characterization of Cybersecurity Posture from Network Telescope Data , 2014, INTRUST.

[11]  Shouhuai Xu,et al.  Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study , 2013, IEEE Transactions on Information Forensics and Security.

[12]  Doina Caragea,et al.  An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities , 2011, DEXA.

[13]  Peter Katsumata,et al.  Cybersecurity risk management , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[14]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[15]  Fabio Massacci,et al.  An independent validation of vulnerability discovery models , 2012, ASIACCS '12.

[16]  Ville Leppänen,et al.  Software Vulnerability Life Cycles and the Age of Software Products: An Empirical Assertion with Operating System Products , 2016, CAiSE Workshops.

[17]  Zahir Irani,et al.  The logistics of information management within an eGovernment context , 2010, J. Enterp. Inf. Manag..

[18]  Per Larsen,et al.  Security through Diversity: Are We There Yet? , 2014, IEEE Security & Privacy.

[19]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[20]  Benoit Baudry,et al.  The Multiple Facets of Software Diversity , 2014, ACM Comput. Surv..

[21]  Mehdi R. Zargham,et al.  Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database , 2013, IEEE Transactions on Reliability.

[22]  Sam Ransbotham,et al.  Information Disclosure and the Diffusion of Information Security Attacks , 2015, Inf. Syst. Res..

[23]  Jan Stage,et al.  Controlling Prototype Development Through Risk Analysis , 1996, MIS Q..

[24]  Davide La Torre,et al.  Financial portfolio management through the goal programming model: Current state-of-the-art , 2014, Eur. J. Oper. Res..

[25]  Yashwant K. Malaiya,et al.  Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[26]  M. P. Gupta,et al.  Deciding the level of information systems outsourcing: Proposing a framework and validation with three Indian banks , 2011, J. Enterp. Inf. Manag..

[27]  Mathias Ekstedt,et al.  Time between vulnerability disclosures: A measure of software product vulnerability , 2016, Comput. Secur..

[28]  Steve G. Sutton,et al.  Extended-enterprise systems' impact on enterprise risk management , 2006, J. Enterp. Inf. Manag..

[29]  Kjell Jørgen Hole,et al.  Diversity Reduces the Impact of Malware , 2015, IEEE Security & Privacy.

[30]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[31]  Ville Leppänen,et al.  The sigmoidal growth of operating system security vulnerabilities: An empirical revisit , 2015, Comput. Secur..

[32]  Harrick M. Vin,et al.  Heterogeneous networking: a new survivability paradigm , 2001, NSPW '01.

[33]  T. Bollerslev,et al.  Generalized autoregressive conditional heteroskedasticity , 1986 .

[34]  Frank Teuteberg,et al.  Missing cloud security awareness: investigating risk exposure in shadow IT , 2017, J. Enterp. Inf. Manag..

[35]  Cheng Huang,et al.  A study on Web security incidents in China by analyzing vulnerability disclosure platforms , 2016, Comput. Secur..

[36]  Kalle Lyytinen,et al.  Identifying Software Project Risks: An International Delphi Study , 2001, J. Manag. Inf. Syst..

[37]  Fabio Massacci,et al.  Security Events and Vulnerability Data for Cybersecurity Risk Estimation , 2017, Risk analysis : an official publication of the Society for Risk Analysis.

[38]  Thomas Zimmermann,et al.  Security Trend Analysis with CVE Topic Models , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[39]  안황권 시큐리티 환경변화에 따른 융합보안의 대두와 물리보안업체의 대응 , 2011 .

[40]  Yaman Roumani,et al.  Time series modeling of vulnerabilities , 2015, Comput. Secur..

[41]  Mamoun Alazab,et al.  Big Data for Cybersecurity: Vulnerability Disclosure Trends and Dependencies , 2019, IEEE Transactions on Big Data.

[42]  R. L. Hamblin,et al.  The diffusion of collective violence. , 1978, American sociological review.

[43]  Frank J. Fabozzi,et al.  60 Years of portfolio optimization: Practical challenges and current trends , 2014, Eur. J. Oper. Res..

[44]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[45]  Lawrence E. Cohen,et al.  Social Change and Crime Rate Trends: A Routine Activity Approach , 1979 .

[46]  Gregory B. White,et al.  Cyber security exercises: testing an organization's ability to prevent, detect, and respond to cyber security events , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[47]  Ahn, Hwang Kwon A Study on the Development of Convergence Security with the Changes in Security Environments , 2011 .

[48]  Abhishek Narain Singh,et al.  Identifying factors of "organizational information security management" , 2014, J. Enterp. Inf. Manag..

[49]  Fabio Massacci,et al.  An Empirical Methodology to Evaluate Vulnerability Discovery Models , 2014, IEEE Transactions on Software Engineering.

[50]  H. Konno,et al.  Mean-absolute deviation portfolio optimization model and its applications to Tokyo stock market , 1991 .

[51]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[52]  Yashwant K. Malaiya,et al.  Vulnerability Discovery Modeling Using Weibull Distribution , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[53]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..

[54]  Benjamin Edwards,et al.  Hype and Heavy Tails: A Closer Look at Data Breaches , 2016, WEIS.

[55]  Mark Keil,et al.  Software project risks and their effect on outcomes , 2004, CACM.

[56]  Orcun Temizkan,et al.  Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities , 2017, Inf. Syst. Res..

[57]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[58]  Ramayya Krishnan,et al.  Correlated Failures, Diversification, and Information Security Risk Management , 2011, MIS Q..

[59]  Riccardo Scandariato,et al.  The Effect of Dimensionality Reduction on Software Vulnerability Prediction Models , 2017, IEEE Transactions on Reliability.

[60]  R. Engle Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation , 1982 .

[61]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[62]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[63]  Leslie P. Willcocks,et al.  Risk mitigation in IT outsourcing strategy revisited: longitudinal case research at LISA , 1999, J. Strateg. Inf. Syst..

[64]  Alysson Neves Bessani,et al.  Analysis of operating system diversity for intrusion tolerance , 2014, Softw. Pract. Exp..

[65]  Per Larsen,et al.  Automated Software Diversity , 2015, Automated Software Diversity.

[66]  Yaman Roumani,et al.  Examining the relationship between firm's financial records and security vulnerabilities , 2016, Int. J. Inf. Manag..

[67]  Adriano Valenzano,et al.  Detection of attacks based on known vulnerabilities in industrial networked systems , 2017, J. Inf. Secur. Appl..

[68]  Yashwant K. Malaiya,et al.  Periodicity in software vulnerability discovery, patching and exploitation , 2016, International Journal of Information Security.

[69]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[70]  Antonio Carlos Gastaud Maçada,et al.  IT investment management and information technology portfolio management (ITPM): Brazilian case studies , 2014, J. Enterp. Inf. Manag..

[71]  Lance Hannon,et al.  CRIMINAL OPPORTUNITY THEORY AND THE RELATIONSHIP BETWEEN POVERTY AND PROPERTY CRIME , 2002 .

[72]  David Pla-Santamaria,et al.  Selecting portfolios for mutual funds , 2004 .

[73]  I. Ehrlich Crime, Punishment, and the Market for Offenses , 1996 .

[74]  G. Schwert Why Does Stock Market Volatility Change Over Time? , 1988 .

[75]  Adel Torkaman Rahmani,et al.  Malware propagation modeling considering software diversity and immunization , 2016, J. Comput. Sci..

[76]  Hong Guo,et al.  Impact of Network Structure on Malware Propagation: A Growth Curve Perspective , 2015, J. Manag. Inf. Syst..

[77]  Peter Weill,et al.  A matrixed approach to designind it governance , 2005 .

[78]  Steven De Haes,et al.  Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid-to-large size financial enterprises , 2009, J. Enterp. Inf. Manag..

[79]  Indrajit Ray,et al.  Assessing vulnerability exploitability risk using software properties , 2016, Software Quality Journal.

[80]  Vance L. Martin,et al.  Econometric Modelling with Time Series: Specification, Estimation and Testing , 2012 .