Houmb, Siv Hilde, Franqueira, Virginia N. L., Engum, Erlend A. (2010) Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83 (9). pp. 1622-1634. ISSN 0164-1212. (doi:10.1016/j.jss.2009.08.023) (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided) (KAR id:77197)
PDF
Publisher pdf
Language: English Restricted to Repository staff only |
|
|
|
Official URL: https://doi.org/10.1016/j.jss.2009.08.023 |
Abstract
Modern society relies on and profits from well-balanced computerized systems. Each of these systems has a core mission such as the correct and safe operation of safety critical systems or innovative and effective operation of e-commerce systems. It might be said that the success of these systems depends on their mission. Although the concept of ‘‘well-balanced” has a slightly different meaning for each of these two categories of systems, both have to meet customer needs, deliver capabilities and functions according to expectations and generate revenue to sustain today’s highly competitive market. Tighter financial constraints are forcing safety critical systems away from dedicated and expensive communication regimes, such as the ownership and operation of dedicated communication links, towards reliance on third parties and standardized means of communication. As a consequence, knowledge about their internal structures and operations is more widely and publicly available and this can make them more prone to security attacks. These systems are, therefore, moving towards a remotely exploitable environment and the risks associated with this must be controlled.Risk management is a good tool for controlling risk but it has the inherent challenge of quantitatively estimating frequency and impact in an accurate and trustworthy way. Quantifying the frequency and impact of potential security threats requires experience-based data which is limited and rarely reusable because it involves company confidential data. Therefore, there is a need for publicly available data sources that can be used in risk estimation. This paper presents a risk estimation model that make suse of one such data source, the Common Vulnerability Scoring System (CVSS). The CVSS Risk Level Estimation Model estimates a security risk level from vulnerability information as a combination of frequency and impact estimates derived from the CVSS. It is implemented as a Bayesian Belief Network(BBN) topology, which allows not only the use of CVSS-based estimates but also the combination of disparate information sources and, thus, provides the ability to use whatever risk information that is avail-able. The model is demonstrated using a safety- and mission-critical system for drilling operational support, the Measurement and Logging While Drilling (M/LWD) system.
Item Type: | Article |
---|---|
DOI/Identification number: | 10.1016/j.jss.2009.08.023 |
Uncontrolled keywords: | Quantitative risk analysis, Security risks, Risk estimation, Common Vulnerability Scoring System (CVSS), Dependable systems, Remote operation |
Divisions: | Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing |
Depositing User: | Virginia Franqueira |
Date Deposited: | 10 Oct 2019 13:01 UTC |
Last Modified: | 05 Nov 2024 12:41 UTC |
Resource URI: | https://kar.kent.ac.uk/id/eprint/77197 (The current URI for this page, for reference purposes) |
- Export to:
- RefWorks
- EPrints3 XML
- BibTeX
- CSV
- Depositors only (login required):