Measuring Security Investment Benefit for COTS Based Systems-A Stakeholder Value Driven Approach

This paper presents the Threat Modeling method based on Attacking Path Analysis (T-MAP) which quantifies security threats by calculating the total severity weights of relevant attacking paths for Commercial Off The Shelf (COTS) based systems. Compared to existing approaches, T-MAP is sensitive to an organization’s business value priorities and IT environment. It distills the technical details of thousands of relevant software vulnerabilities into management-friendly numbers at a high-level. In its initial usage in a large IT organization, T-MAP has demonstrated significant strength in prioritizing and estimating security investment effectiveness, as well as in evaluating the security performance of COTS systems. In the case study, we demonstrate the steps of using T-MAP to analyze the cost-effectiveness of how system patching, user account control and firewall can improve security. In addition, we introduce a software tool that automates the T-MAP.

[1]  Daniel Port,et al.  Assessing COTS Assessment: How Much Is Enough? , 2004, ICCBSS.

[2]  BoehmBarry,et al.  COTS-Based Systems Top 10 List , 2001 .

[3]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[4]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[5]  M. Bohanec,et al.  The Analytic Hierarchy Process , 2004 .

[6]  S. Radack The Common Vulnerability Scoring System (CVSS) , 2007 .

[7]  Barry W. Boehm,et al.  An Initial Theory of Value-Based Software Engineering , 2006, Value-Based Software Engineering.

[8]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[9]  Barry Boehm,et al.  Software economics: a roadmap , 2000, ICSE '00.

[10]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[11]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[12]  Robert A. Martin Managing Vulnerabilities in Your Commercial-Off-The-Shelf (COTS) Systems Using an Industry Standards Effort (CVE) , 2004, ICCBSS.

[13]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[14]  R.F. Mills,et al.  Analyzing Attack Trees using Generalized Stochastic Petri Nets , 2006, 2006 IEEE Information Assurance Workshop.

[15]  Lawrence A. Gordon,et al.  Budgeting process for information security expenditures , 2006, CACM.

[16]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[17]  Donald J. Reifer,et al.  Making the Software Business Case , 2001 .

[18]  Hal Berghel The two sides of ROI: return on investment vs. risk of incarceration , 2005, CACM.

[19]  Barry W. Boehm,et al.  Value-based processes for COTS-based applications , 2005, IEEE Software.

[20]  Barry W. Boehm,et al.  Not All CBS Are Created Equally: COTS-Intensive Project Types , 2003, ICCBSS.

[21]  R.A. Martin Managing vulnerabilities in your commercial-off-the-shelf (COTS) systems using an industry standards effort , 2002, Proceedings. The 21st Digital Avionics Systems Conference.

[22]  Barry W. Boehm,et al.  COTS-Based Systems - Twelve Lessons Learned about Maintenance , 2004, ICCBSS.

[23]  Barry Boehm,et al.  The Nature of Information System Dependability: , 2004 .