A novel approach to evaluate software vulnerability prioritization

The aim of this study is to formulate an analysis model which can express the security grades of software vulnerability and serve as a basis for evaluating danger level of information program or filtering hazardous weaknesses of the system and improve it to counter the threat of different danger factors. Through the utilization of fuzzy analytic hierarchy process (FAHP), we will organize the crossover factors of the software blind spots and build an evaluation framework. First of all, via the fuzzy Delphi method the aspects and relative determinants affecting security will be filtered out. Then we will identify the value equation of each factor and settle down the fuzzy synthetic decision making model of software vulnerability. Thanks to this model we will be able to analyze the various degrees to which the vulnerability is affecting the security and this information will serve as a basis for future ameliorations of the system itself. The higher the security score obtained therefore imply securer system. Beside this, this study also propose an improvement from the traditional fuzzy synthetic decision making model for measuring the fuzziness between enhancement and independence of various aspects and criteria. Furthermore taking into consideration the subjectivity of human in reality and constructing the fuzzy integral decision making model. Through case study, we show that the evaluation model in question is practical and can be applied on the new software vulnerabilities and measure their degree of penetration. The fuzzy integral decision making emphasize through formulation the multiply-add effect between different factors influencing information security.

[1]  PageKicker Robot Phil OWASP Top 10: The Top 10 Most Critical Web Application Security Threats Enhanced with Text Analytics and Content by PageKicker Robot Phil 73 , 2014 .

[2]  Karen A. Scarfone,et al.  SP 800-70 Rev. 2. National Checklist Program for IT Products: Guidelines for Checklist Users and Developers , 2009 .

[3]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2005, ACM Trans. Inf. Syst. Secur..

[4]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[5]  Ting-Yu Chen,et al.  Identification of [lambda]-fuzzy measures using sampling design and genetic algorithms , 2001, Fuzzy Sets Syst..

[6]  James Marting,et al.  Security, Accuracy, and Privacy in Computer Systems , 1973 .

[7]  Karen A. Scarfone,et al.  The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2009 .

[8]  J. Buckley,et al.  Fuzzy hierarchical analysis , 1999, FUZZ-IEEE'99. 1999 IEEE International Fuzzy Systems. Conference Proceedings (Cat. No.99CH36315).

[9]  Markus Jakobsson,et al.  Deterring voluntary trace disclosure in re-encryption mix-networks , 2010, TSEC.

[10]  Young U. Ryu,et al.  Evaluation of Intrusion Detection Systems Under a Resource Constraint , 2008, TSEC.

[11]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[12]  K. Asai Fuzzy Systems for Management , 1995 .

[13]  D. Parker Computer Security Management , 1981 .

[14]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[15]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[16]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[17]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[18]  Jürgen Quittek,et al.  NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication , 2008, RFC.

[19]  Fritz Klocke,et al.  Evaluating alternative production cycles using the extended fuzzy AHP method , 1997, Eur. J. Oper. Res..

[20]  Yuqing Zhang,et al.  VRSS: A new system for rating and scoring vulnerabilities , 2011, Comput. Commun..

[21]  M. Sugeno,et al.  An interpretation of fuzzy measures and the Choquet integral as an integral with respect to a fuzzy , 1989 .

[22]  Jingguo Wang,et al.  Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures , 2010, TMIS.

[23]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[24]  Keon Myung Lee,et al.  Identification of λ-fuzzy measure by genetic algorithms , 1995, Fuzzy Sets Syst..

[25]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[26]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[27]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[28]  G. Choquet Theory of capacities , 1954 .

[29]  Karen A. Forcht,et al.  Computer Security Management , 1993 .

[30]  Ching-Lai Hwang,et al.  Fuzzy Multiple Attribute Decision Making - Methods and Applications , 1992, Lecture Notes in Economics and Mathematical Systems.

[31]  M. Sugeno,et al.  A MODEL OF LEARNING BASED ON FUZZY INFORMATION , 1977 .

[32]  R.A. Martin,et al.  Making security measurable and manageable , 2008, MILCOM 2008 - 2008 IEEE Military Communications Conference.

[33]  Qing Hu,et al.  The impact of information security events on the stock value of firms: the effect of contingency factors , 2011, J. Inf. Technol..

[34]  Yuqing Zhang,et al.  Improving VRSS-based vulnerability prioritization using analytic hierarchy process , 2012, J. Syst. Softw..

[35]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[36]  Markus Jakobsson,et al.  Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks , 2006, IEEE Symposium on Security and Privacy.

[37]  Clarence S. Hall,et al.  Federal Desktop Core Configuration (FDCC). , 2008 .

[38]  Jason Crampton,et al.  Practical and efficient cryptographic enforcement of interval-based access control policies , 2011, TSEC.

[39]  Karen A. Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, ESEM 2009.

[40]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[41]  Siv Hilde Houmb,et al.  Quantifying security risk level from CVSS estimates of frequency and impact , 2010, J. Syst. Softw..

[42]  A. Hovav,et al.  The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms , 2003 .

[43]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[44]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.