Abstract
This paper presents a probabilistic model-based approach aimed at evaluating quantitative measures to assess the security risks faced by an information system in operation. The proposed approach takes into account the impact of three environmental factors and their interdependencies: the vulnerability life cycle, the behavior of the attackers and the behavior of the system administrator. Several quantitative security measures are defined and evaluated. Two different scenarios are distinguished corresponding to the case where the system vulnerabilities are discovered by a malicious user or by a non malicious user. The proposed models are based on stochastic activity networks and describe the system states resulting from the combined modeling of the three external factors. Five states are distinguished (vulnerable, exposed, compromised, patched and secure) and probability measures are associated to these states to assess the level of risk faced by the system as a result of the vulnerability exploitation process. The parameters of the models, e.g. those characterizing the occurrence of vulnerability life cycle events, are derived from the analysis of public information recorded in vulnerability databases. Several sensitivity analyses are carried out for the two scenarios, in order to quantify and illustrate the impact of various parameters, including the probability of security patch application, the attack rate, etc.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
