Vulnerability Assessment in Quantitative Risk Management Methodologies - State-of-the-Art and Challenges

Raed Labassi, Mohamed Hamdi

2014

Abstract

Quantitative risk analysis is primarily concerned with estimating the attributes associated to digital threats and assessing the potential brought by potential countermeasures in thwarting the corresponding attacks. Vulnerability analysis turns out to be a crucial step in this process. This paper proposes a new vulnerability assessment technique that supports the implementation of adaptive security engineering processes. This means that the system should dynamically enable security countermeasures and adapt the security parameters according to the threat impact. The major advantage of the proposed technique is that it allows the enforcement of a runtime protection of the sensitive assets.

References

  1. Abie, H. and Balasingham, I. (2012), “Risk-Based Adaptive Security for Smart IoT in eHealth”, Proceedings of the 7th International Conference on Body Area Networks, Oslo, Norway, pp. 269-275.
  2. Bier ,V.M. and Azaiez, M.N (2008), “Game Theoretic Risk Analysis of Security Threats”, Springer, International Series in Operations Research & Management Science, Vol. 128.
  3. Blasi, L., Savola, R., Abie, H. and Rotondi, D. (2010), “Applicability of Security Metrics for Adaptive Security Management in a Universal Banking Hub System”, European Conference on Software Architecture (ECSA) Companion, Copenhagen, Denmark, August 2010, Vol.2010, pp. 197-204.
  4. Computer Security Institute CSI (2010), 2010 / 2011 CSI Computer Crime and Security Survey, New York.
  5. Cox, L.A. (2012) “Game Theory and Risk Analysis”, Risk Analysis, Vol 29 Issue 8, pp. 1062-1068.
  6. Evesti, A. and Ovaska, E. (2010), “Ontology-based Security Adaptation at Run- time”, Fourth IEEE International Conference on Self-Adaptive and
  7. Self-Organizing Systems, Budapest, Hungary, pp. 204-212.
  8. Felani, I. and Dwiputra, A. (2012), “Developing Objective-Quantitative Risk Management Information System”, Proceedings of the World Congress on Engineering 2012, London, UK, 2012, Vol I, pp.481- 484.
  9. Haddad, S., Dubus, S., Hecker, A., Kanstrn, T., Marquet, B. and Savola, R.(2011), “Operational Security Assurance Evaluation in Open Infrastructures,” 6th International Conference on Risks and Security of Internet and Systems (CRiSIS), Romania, pp. 100-105.
  10. Hamdi, M. and Abie, H. (2013), “Game-Based Adaptive Security in the Internet of Things for eHealth”, ACM Computing Surveys (CSUR), ACM NY, New-York, USA, Vol 45, Issue 3, Acticle No. 25.
  11. Hamdi, M., Krichene, J., Tounsi, M. and Boudriga, N. (2003), “NetRAM: A Framework for Information Security Risk Management,” Nordic Workshop on Secure IT Systems, Gjovik, Norway.
  12. Manshaei, M.H., Zhu, Q., Alpcan, T., Basar, T. and Hubaux, J.P. (2013), “Game Theory Meets Network Security and Privacy”, ACM Computing Surveys (CSUR), ACM NY, New-York, USA, Vol 45, Issue 3, Acticle No. 25.
  13. The Mitre Corporation (2012), “Vulnerability Management”, available at: http://measurable security.mitre.org/directory/areas/vulnerabilitymanage ment.html (accessed 16 April 2013).
  14. Moussa, O., Savola, R.M., Mouraditis, H., Preston, D., Khadhraoui, D. and Dubois, E. (2013) “Taxonomy of quality metrics for assessing assurance of security correctness,” Software Quality Journal, Vol.21, issue 1, pp. 67-97.
  15. Open Source Vulnerability Data Base (2013), “Vulnerability Entry Standards”, http://www.osvdb. org/vuln standards (accessed 16 April 2013).
  16. Sahinoglu, M. (2005), “Security Meter: A Practical Decision-Tree Model to Quantify Risk”, IEEE Security Privacy, Vol. 3, No. 3, pp. 18-24.
  17. Sahinoglu, M. (2008), “An InputOutput Measurable Design for the Security Meter Model to Quantify and Manage Software Security Risk”, IEEE transactions on Instrumentation and Measurement, vol. 57, No. 6, pp. 1251-1260.
  18. Savola, R. M., Abie, H.,Bigham, J. and Rotondi, D.(2010), “Innovations and Advances in Adaptive Secure Message Oriented Middleware the GEMOM Project”, IEEE 30th International Conference on Distributed Computing Systems Workshops, Genova, Italy, June 2010, pp. 288-289.
  19. Young, C.S. (2010), “Metrics and Methods for Security Risk Management”, SYNGRESS, USA.
Download


Paper Citation


in Harvard Style

Labassi R. and Hamdi M. (2014). Vulnerability Assessment in Quantitative Risk Management Methodologies - State-of-the-Art and Challenges . In Doctoral Consortium - DCETE, (ICETE 2014) ISBN Not Available, pages 31-38


in Bibtex Style

@conference{dcete14,
author={Raed Labassi and Mohamed Hamdi},
title={Vulnerability Assessment in Quantitative Risk Management Methodologies - State-of-the-Art and Challenges},
booktitle={Doctoral Consortium - DCETE, (ICETE 2014)},
year={2014},
pages={31-38},
publisher={SciTePress},
organization={INSTICC},
doi={},
isbn={Not Available},
}


in EndNote Style

TY - CONF
JO - Doctoral Consortium - DCETE, (ICETE 2014)
TI - Vulnerability Assessment in Quantitative Risk Management Methodologies - State-of-the-Art and Challenges
SN - Not Available
AU - Labassi R.
AU - Hamdi M.
PY - 2014
SP - 31
EP - 38
DO -