Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window

In this paper we present a novel approach of using mathematical models and stochastic simulations to guide and inform security investment and policy change decisions. In particular, we investigate vulnerability management policies, and explore how effective standard patch management and emergency escalation based policies are, and how they can be combined with earlier, pre-patch mitigation measures to reduce the potential exposure window. The paper describes the model we constructed to represent typical vulnerability management processes in large organizations, which captures the external threat environment and the internal security processes and decision points. We also present the results from the experimental simulations, and show how changes in security solutions and policies, such as speeding up patch deployment and investing in early mitigation measures, affect the overall exposure window in terms of the time it takes to reduce the potential risk. We believe that this type of mathematical modelling and simulation-based approach provides a novel and useful way of considering security investment decisions, which is quite distinct from traditional risk analysis.

[1]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[2]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[3]  Brian Monahan,et al.  A Structural and Stochastic Modelling Philosophy for Systems Integrity , 1999 .

[4]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[5]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[6]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[7]  M. Angela Sasse,et al.  Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security , 2008, WEIS.

[8]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[9]  Peter Mell,et al.  Procedures for handling security patches , 2002 .

[10]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[11]  Graham Birtwistle,et al.  Discrete event modelling on SIMULA , 1987 .

[12]  David J. Pym,et al.  Assessing the Value of Investments in Network Security Operations: A Systems Analytics Approach , 2007, WEIS.

[13]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.