Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements

This paper proposes a new approach for assessing the organization's vulnerability to information-security breaches. Although much research has been done on qualitative approaches, the literature on numerical approaches to quantify information-security risk is scarce. This paper suggests a method to quantify risk in terms of a numeric value or ''degree of cybersecurity''. To help quantitatively measure the level of cybersecurity for a computer-based information system, we present two indices, the threat-impact index and the cyber-vulnerability index, based on vulnerability trees. By calculating and comparing the indices for various possible security enhancements, managers can select the best security enhancement choice, prioritize the choices by their relative effectiveness, and statistically justify spending resources on the selected choice. By qualifying information security quantitatively, the method can also help managers establish a specific target of security level that they can track. We illustrate the use of the proposed methodology on the security of supervisory control and data acquisition (SCADA) systems using data from the SCADA system test bed implemented at the University of Louisville as a case study, and then show the use of the proposed indices on this information system before and after two security enhancements.

[1]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[2]  Shamkant B. Navathe,et al.  Managing vulnerabilities of information systems to security incidents , 2003, ICEC '03.

[3]  Yacov Y. Haimes,et al.  Journal of Homeland Security and Emergency Management A Roadmap for Quantifying the Efficacy of Risk Management of Information Security and Interdependent , 2011 .

[4]  Sandip C. Patel,et al.  Secure internet-based communication protocol for scada networks , 2006 .

[5]  G. Dhillon Managing information system security , 1997 .

[6]  Steven M. Rinaldi,et al.  Modeling and simulating critical infrastructures and their interdependencies , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[7]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[8]  Yacov Y Haimes,et al.  Risk Filtering, Ranking, and Management Framework Using Hierarchical Holographic Modeling , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[9]  A. Hovav,et al.  The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms , 2003 .

[10]  Vernon J. Richardson,et al.  Assessing the Risk in E-Commerce , 2001 .

[11]  Qi Li,et al.  Proceedings of the International Conference on Electronic Commerce , 2005 .

[12]  Gary Stoneburner Toward a Unified Security-Safety Model , 2006, Computer.

[13]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[14]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[15]  Shamkant B. Navathe,et al.  A Management Perspective on Risk of Security Threats to Information Systems , 2005, Inf. Technol. Manag..

[16]  B. Ayyub Risk Analysis in Engineering and Economics , 2003 .

[17]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[18]  Mark A. Turnquist,et al.  Assessing the performance of interdependent infrastructures and optimizing investments , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[19]  Fred Cohen,et al.  Simulating cyber attacks, defences, and consequences , 1999, Comput. Secur..

[20]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[21]  Mark A. Turnquist,et al.  Assessing the performance of interdependent infrastructures and optimising investments , 2005, Int. J. Crit. Infrastructures.

[22]  Michael K. Reiter,et al.  Homeland Security , 2004, IEEE Internet Comput..

[23]  Anne-Francoise Rutkowski,et al.  When Stakeholders Perceive Threats and Risks Differently: the Use of Group Support Systems to Develop a Common Understanding and a Shared Response , 2005 .

[24]  Yacov Y. Haimes,et al.  Are we forgetting the risks of information technology? , 2000, Computer.

[25]  Sandip C. Patel,et al.  Secure SCADA Communications, Monitoring and Control over the Internet , 2005, CAINE.

[26]  Alec Yasinsac,et al.  Analyzing Internet security protocols , 2001, Proceedings Sixth IEEE International Symposium on High Assurance Systems Engineering. Special Topic: Impact of Networking.

[27]  Jason Edwin Stamp,et al.  A classification scheme for risk assessment methods. , 2004 .

[28]  Hiromitsu Kumamoto,et al.  Probabilistic Risk Assessment , 1996 .

[29]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[30]  David John Pumfrey,et al.  The principled design of computer system safety analyses , 1999 .

[31]  Anat Hovav,et al.  The Impact of Virus Attack Announcements on the Market Value of Firms , 2004, Inf. Secur. J. A Glob. Perspect..

[32]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[33]  C. Ranganathan,et al.  Visualization strategies and tools for enhancing customer relationship management , 2004, CACM.

[34]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .