Quantifying security risk level from CVSS estimates of frequency and impact

Modern society relies on and profits from well-balanced computerized systems. Each of these systems has a core mission such as the correct and safe operation of safety critical systems or innovative and effective operation of e-commerce systems. It might be said that the success of these systems depends on their mission. Although the concept of ''well-balanced'' has a slightly different meaning for each of these two categories of systems, both have to meet customer needs, deliver capabilities and functions according to expectations and generate revenue to sustain today's highly competitive market. Tighter financial constraints are forcing safety critical systems away from dedicated and expensive communication regimes, such as the ownership and operation of dedicated communication links, towards reliance on third parties and standardized means of communication. As a consequence, knowledge about their internal structures and operations is more widely and publicly available and this can make them more prone to security attacks. These systems are, therefore, moving towards a remotely exploitable environment and the risks associated with this must be controlled. Risk management is a good tool for controlling risk but it has the inherent challenge of quantitatively estimating frequency and impact in an accurate and trustworthy way. Quantifying the frequency and impact of potential security threats requires experience-based data which is limited and rarely reusable because it involves company confidential data. Therefore, there is a need for publicly available data sources that can be used in risk estimation. This paper presents a risk estimation model that makes use of one such data source, the Common Vulnerability Scoring System (CVSS). The CVSS Risk Level Estimation Model estimates a security risk level from vulnerability information as a combination of frequency and impact estimates derived from the CVSS. It is implemented as a Bayesian Belief Network (BBN) topology, which allows not only the use of CVSS-based estimates but also the combination of disparate information sources and, thus, provides the ability to use whatever risk information that is available. The model is demonstrated using a safety- and mission-critical system for drilling operational support, the Measurement and Logging While Drilling (M/LWD) system.

[1]  John Eargle,et al.  Business Component-Based Software Engineering , 2002 .

[2]  Jan Jürjens,et al.  Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[3]  R. Bell,et al.  IEC 61508: functional safety of electrical/electronic/ programme electronic safety-related systems: overview , 1999 .

[4]  R. Cooke,et al.  Procedures Guide for Structural Expert Judgement in Accident Consequence Modelling , 2000 .

[5]  Siv Hilde Houmb,et al.  Estimating Impact and Frequency of Risks to Safety and Mission Critical Systems Using CVSS , 2008 .

[6]  Indrajit Ray,et al.  A Vector Model of Trust for Developing Trustworthy Systems , 2004, ESORICS.

[7]  Yue Chen,et al.  Measuring Security Investment Benefit for Off the Shelf Software Systems - A Stakeholder Value Driven Approach , 2007, WEIS.

[8]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[9]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[10]  L. Goossens,et al.  Expert judgement for a probabilistic accident consequence uncertainty analysis , 2000 .

[11]  Ching-Lai Hwang,et al.  Basic Concepts and Terminology , 1979 .

[12]  Hermann Kopetz,et al.  Dependability: Basic Concepts and Terminology , 1992 .

[13]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[14]  Yannis C. Stamatiou,et al.  Model-Based Risk Assessment in a Component-Based Software Engineering Process , 2003 .

[15]  Finn Verner Jensen,et al.  Introduction to Bayesian Networks , 2008, Innovations in Bayesian Networks.

[16]  Geri Georg,et al.  Predicting Availability of Systems using BBN in Aspect-Oriented Risk-Driven Development (AORDD) , 2005 .

[17]  Siv Hilde Houmb,et al.  Estimating ToE Risk Level Using CVSS , 2009, 2009 International Conference on Availability, Reliability and Security.

[18]  Standards New Zealand.,et al.  Risk management guidelines: companion to AS/NZS 4360:2004 , 2004 .

[19]  Yue Chen,et al.  Stakeholder Value Driven Threat Modeling for Off the Shelf Based Systems , 2007, 29th International Conference on Software Engineering (ICSE'07 Companion).

[20]  R. Cooke Experts in Uncertainty: Opinion and Subjective Probability in Science , 1991 .

[21]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[22]  Siv Hilde Houmb,et al.  Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD)Framework , 2007 .

[23]  Erland Jonsson,et al.  Towards an integrated conceptual model of security and dependability , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[24]  B. A. Gran,et al.  Use of Bayesian Belief Networks when combining disparate sources of information in the safety assessment of software-based systems , 2002, Int. J. Syst. Sci..

[25]  Maxwell G. Dondo,et al.  A Vulnerability Prioritization System Using A Fuzzy Risk Analysis Approach , 2008, SEC.