Attacker Economics for Internet-scale Vulnerability Risk Assessment
نویسنده
چکیده
Vulnerability risk assessment is a crucial process in security management, and the CVSS score is the standard-de-facto risk metric for software vulnerabilities. In this manuscript I show that current risk assessment methodologies do not fit real “in the wild” attack data. I also present my three-steps plan to identify an Internet-scale risk assessment methodology that accounts for attacker economics and opportunities. Eventually, I want to provide answers like the following: “If we deploy this security measure, the fraction of our users affected by this type of cyber attacks will be less than X%”.
منابع مشابه
Attacker economics for Internet - scale vulnerability risk assessment ( Extended
Luca Allodi DISI University of Trento, Italy http: // disi. unitn. it/
متن کاملReconciling Malicious and Accidental Risk in Cyber Security
Consider the question whether a cyber security investment is cost-effective. The result will depend on the expected frequency of attacks. Contrary to what is referred to as threat event frequencies or hazard rates in safety risk management, frequencies of targeted attacks are not independent from system design, due to the strategic behaviour of attackers. Although there are risk assessment meth...
متن کاملAnalysis of Information Security Problem by Probabilistic Risk Assessment
The information security risk assessment is investigated from perspectives of most advanced probabilistic risk assessment (PRA) for nuclear power plants. Accident scenario enumeration by initiating events, mitigation systems and event trees are first described and demonstrated. Assets, confidentiality, integrity, availability, threats, vulnerabilities, impacts, likelihoods, and safeguards are r...
متن کاملSecurity Events and Vulnerability Data for Cybersecurity Risk Estimation.
Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastruc...
متن کاملOntology-Based Document Profile for Vulnerability Relevancy Analysis
System vulnerability is the common weak point for attacker to break into the system. Patching or reconfiguration is usually slow, and difficult or risky to system stability. Our research defines a framework for vulnerability prioritization based on relevancy calculated from online information. In this paper, the idea of subcontext and the Ontology-based Document Profile (ODP) are introduced. OD...
متن کامل