Attack tree based information security risk assessment method integrating enterprise objectives with vulnerabilities

In order to perform the analysis and mitigation efforts related with the information security risks there exists quantitative and qualitative approaches, but the most critical shortcoming of these methods is the fact that the outcome mainly addresses the needs and priorities of the technical community rather than the management. For the enterprise management, this information is essentially required as a decision making aid for the asset allocation and the prioritization of mitigation efforts. so, ideally the outcome of an information security risk method must be in synchronization with the enterprise objectives to act as a useful decision tool for the management. also, in the modelling of the threat domain, attack trees are frequently utilized. However the execution of attack tree modelling is costly from the effort and timing requirements and also, has inherent scalability issues. so, within this article our design-science research based work on an information security risk assessment method that addresses these two issues of enterprise objective inclusion and model scalability will be outlined.

[1]  Stephen Tyree,et al.  Strata-Gem: risk assessment through mission modeling , 2008, QoP '08.

[2]  Reijo Savola,et al.  Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[3]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[4]  Ying Wah Teh,et al.  Credit Scoring Models Using Soft Computing Methods: A Survey , 2010, Int. Arab J. Inf. Technol..

[5]  Ruth Breu,et al.  Quantitative Assessment of Enterprise Security System , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[6]  K. Clark,et al.  Security risk metrics: fusing enterprise objectives and vulnerabilities , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[7]  Min-Woo Park,et al.  A framework of defense system for prevention of insider's malicious behaviors , 2011, 13th International Conference on Advanced Communication Technology (ICACT2011).

[8]  Salvatore T. March,et al.  Design and natural science research on information technology , 1995, Decis. Support Syst..

[9]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[10]  Liisa von Hellens,et al.  Qualitative Research in Information Systems , 2007, Australas. J. Inf. Syst..

[11]  Hui Xia,et al.  A qualitative and quantitative risk assessment method in software security , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[12]  Victor R. Basili,et al.  A Methodology for Collecting Valid Software Engineering Data , 1984, IEEE Transactions on Software Engineering.

[13]  Nazife Baykal,et al.  Information security metric integrating enterprise objectives , 2009, 43rd Annual 2009 International Carnahan Conference on Security Technology.

[14]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[15]  Dale Goodhue,et al.  Develop Long-Term Competitiveness through IT Assets , 1996 .

[16]  P. Schoemaker,et al.  Strategic assets and organizational rent , 1993 .

[17]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[18]  Hai Le Vu,et al.  A new approach for network vulnerability analysis , 2008, 2008 33rd IEEE Conference on Local Computer Networks (LCN).

[19]  Omar El Sawy,et al.  Building an Information System Design Theory for Vigilant EIS , 1992, Inf. Syst. Res..

[20]  A. Adam Whatever happened to information systems ethics? Caught between the devil and the deep blue sea , 2004 .

[21]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[22]  J. Barney Firm Resources and Sustained Competitive Advantage , 1991 .