On Computing Enterprise IT Risk Metrics
نویسندگان
چکیده
External Posting Date: February 21, 2011 [Fulltext] Approved for External Publication Internal Posting Date: February 21, 2011 [Fulltext] On Computing Enterprise IT Risk Metrics Sandeep Bhatt, William Horne, Prasad Rao HP Laboratories HPL-2011-26 Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components. Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used. We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring. To be published and presented at IFIP SEC 2011: Future challenges in security and privacy for academia and industry, June 2011 Copyright IFIP SEC 2011: Future challenges in security and privacy for academia and industry, 2011 On Computing Enterprise IT Risk Metrics Sandeep Bhatt and William Horne and Prasad Rao Cloud and Security Lab HP Laboratories 5 Vaughn Drive, Princeton NJ 08540, USA {sandeep.bhatt,william.horne,prasad.rao}@hp.com Abstract. Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components. Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components. Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used. We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.
منابع مشابه
Reputation Risk Management in the Framework of Enterprise Risk Management: Evidences from an Active Financial Institution in the Capital Market of Iran
Reputation risk as one of the most important risks in any competitive industry and market should be considered before all the risks of the enterprise which also affects other risks. This research aims to review and manage reputation risk in the framework of enterprise risk management. Considering the importance of the subject and lack of available studies in this field, the innovation of presen...
متن کاملEnterprise Risk Management and Performance of Financial Institutions in Iraq: The Mediating Effect of Information Technology Quality
Enterprise risk management represents a process of assessing exposure to risks in an institution. It is a systematic mechanism and a comprehensive tool for predicting events, including unexpected events, and their impacts. This paper is a conceptual study. It aims at designing a model for testing the mediation effect of information technology (IT) quality on the relationship between the enterpr...
متن کاملTowards Measuring the Project Management Process During Large Scale Software System Implementation Phase
Project management is an important factor to accomplish the decision to implement large-scale software systems (LSS) in a successful manner. The effective project management comes into play to plan, coordinate and control such a complex project. Project management factor has been argued as one of the important Critical Success Factor (CSF), which need to be measured and monitored carefully duri...
متن کاملAn empirical study of a vulnerability metric aggregation method
Quantifying security risk is an important and yet difficult task in enterprise network risk management, critical for proactive mission assurance. Even though metrics exist for individual vulnerabilities, there is currently no standard way of aggregating such metrics. We developed a quantitative model that can be used to aggregate vulnerability metrics in an enterprise network, with a sound comp...
متن کاملA Framework for Evaluating Cloud Computing User’s Satisfaction in Information Technology Management
Cloud computing is a new discussion in enterprise IT. It has already become popular in terms of distributed technology in some companies. It enables managers to setup and run the intended businesses by avoiding excessive spending on computers, software and hiring expert staff, which proves to be cost effective. Cloud computing also helps users pay for the IT services without spending massive am...
متن کامل