论文信息 - Augmented Risk Analysis

Augmented Risk Analysis

Risk analysis has recently emerged as a structured and precise methodology to help modern companies understand their risks and plan the relative countermeasures well in advance. It is based on a number of indicators: parameters that quantify the key concepts on which an enterprise designs its security and safety investments. A modificator is a function that further modifies an existing indicator, and is itself an indicator. It is argued here that Risk Analysis can dramatically benefit from three novel modificators. One, the Exposure Factor during Critical Time (EFCT), expresses the percentage of loss or damage that an attack can infer to a time-critical asset. Another one, the Exposure Factor under Retaliation (EFR), formalises the mitigation to the loss or damage that an attack can infer to an asset when that loss or damage can be retaliated back onto the attacker. The third one, the Mitigated Risk against Collusion (MRC), formalises how a security measure can be effective against a single attacker but not necessarily against a large team of attackers working collaboratively for the same target. Our simulated results firmly support the benefits of such augmented Risk Analysis confirming the novel insights it can provide.

Stefano Bistarelli | Giampaolo Bella | Salvatore Riccobene | Pamela Peretti

[1] Stefano Bistarelli,et al. Retaliation: Can We Live with Flaws? , 2005 .

[2] Alexander K. Petrenko,et al. Electronic Notes in Theoretical Computer Science , 2009 .

[3] Gary Stoneburner,et al. SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[4] Ross J. Anderson. Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[5] G. Stoneburner,et al. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[6] Wes Sonnenreich,et al. Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[7] Ronald L. Krutz,et al. The CISSP Prep Guide: Mastering the Ten Domains of Computer Security , 2001 .

[8] Danny Dolev,et al. On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[9] Stefano Bistarelli,et al. Defense trees for economic evaluation of security investments , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[10] Stefano Bistarelli,et al. Soft Constraint Programming to Analysing Security Protocols , 2004, Theory Pract. Log. Program..

[11] Stefano Bistarelli,et al. A Protocol's Life After Attacks , 2003, Security Protocols Workshop.

[12] Harold F. Tipton,et al. Handbook of Information Security Management , 1997 .