Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - Quantitative assessment of software vulnerabilities based on economic-driven security metrics
AU - Ghani, H.
AU - Luna, J.
AU - Suri, Neeraj
PY - 2013/10/23
Y1 - 2013/10/23
N2 - Vulnerability exploits cost organizations large amounts of resources, mainly due to disruption of ICT services, and thus loss of confidentiality, integrity and availability. As security managers in the industry usually have to operate with limited budgets allocated to information security, they need to prioritize their investment efforts regarding the response mechanisms to the existing vulnerabilities. The utilization of quantitative security vulnerability assessment methods enables efficient prioritization of security efforts and investments to mitigate the discovered vulnerabilities and thus an opportunity to lower expected losses. State of the art approaches for vulnerability assessment such as the Common Vulnerability Scoring System (CVSS), which is the de facto standard quantifying the severity of vulnerabilities, do not consider the economic impact in case of a vulnerability exploit. To this end, our paper targets the quantitative understanding of vulnerability severity taking into account the potential economic damage a successful vulnerability exploit can cause. We propose a novel approach for a systematic consideration of the relevant cost units (associated costs) for the economic damage estimation of vulnerability exploits. Our approach utilizes Multiple Criteria Decision Analysis (MCDA) methods to perform a prioritization of the existing vulnerabilities within the target system. The evaluation results show the potential cost savings w.r.t. the mitigation costs using our approach. Our method supports managers and decision makers in the process of prioritizing security investments to mitigate the discovered vulnerabilities. © 2013 IEEE.
AB - Vulnerability exploits cost organizations large amounts of resources, mainly due to disruption of ICT services, and thus loss of confidentiality, integrity and availability. As security managers in the industry usually have to operate with limited budgets allocated to information security, they need to prioritize their investment efforts regarding the response mechanisms to the existing vulnerabilities. The utilization of quantitative security vulnerability assessment methods enables efficient prioritization of security efforts and investments to mitigate the discovered vulnerabilities and thus an opportunity to lower expected losses. State of the art approaches for vulnerability assessment such as the Common Vulnerability Scoring System (CVSS), which is the de facto standard quantifying the severity of vulnerabilities, do not consider the economic impact in case of a vulnerability exploit. To this end, our paper targets the quantitative understanding of vulnerability severity taking into account the potential economic damage a successful vulnerability exploit can cause. We propose a novel approach for a systematic consideration of the relevant cost units (associated costs) for the economic damage estimation of vulnerability exploits. Our approach utilizes Multiple Criteria Decision Analysis (MCDA) methods to perform a prioritization of the existing vulnerabilities within the target system. The evaluation results show the potential cost savings w.r.t. the mitigation costs using our approach. Our method supports managers and decision makers in the process of prioritizing security investments to mitigate the discovered vulnerabilities. © 2013 IEEE.
KW - CVSS
KW - economic-driven security metrics
KW - MCDA
KW - security quantification
KW - vulnerability assessment
KW - Costs
KW - Internet
KW - Investments
KW - Managers
KW - Operations research
KW - Security systems
KW - Security metrics
KW - Vulnerability assessments
KW - Security of data
U2 - 10.1109/CRiSIS.2013.6766361
DO - 10.1109/CRiSIS.2013.6766361
M3 - Conference contribution/Paper
SP - 1
EP - 8
BT - 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)
PB - IEEE
ER -