Fig 5 - uploaded by Siv Hilde Houmb
Content may be subject to copyright.
Source publication
In security assessment and management there is no single correct solution to the identified security problems or challenges. Instead there are only choices and
tradeoffs. The main reason for this is that modern information systems and security critical information systems in particular must perform at the contracted
or expected security level, make...
Citations
... According to [6] , risk assessment methods can be divided in three basic groups: rule based, risk based and judgment based. Rule based risk assessment methodologies are usually based on a collection of standards which are used as norms that the system, which is under investigation, should comply with. ...
... Theft of media or documents 6, 7, 8, 9, 10 33 Failure to produce management reports Unauthorized use of equipment 6, 7, 8, 9, 10 86 Out of date virus signature Forging of rights 6, 7, 8, 9, 10 87 Lack of automatic virus scans Forging of rights 6, 7, 8, 9, 10 88 Lack of reconciliation routines used by software Corruption of data 6, 7, 8, 9, 10 89 Lack of intrusion detection and prevention tools Forging of rights 6,7,8,9,10 ...
We present a quantitative business-process risk assessment methodology that utilizes formal mathematical distributions over historical data to enable better granularity and less subjective assessment on cyber-physical systems (CPS) and IT systems that use cloud services in general. The proposed methodology supports risks on asset-based processes associated with cloud computing platforms. ISO and US standards for cloud platforms are used to detect cloud-based attack vectors, threats and vulnerabilities both for CPS and traditional IT systems. Poisson distributions are proposed as a scientific means to quantify the likelihood of threat manifestation for assessing security risks. The key advantage of the presented method is its non-subjective likelihood threat estimation (contrary to current standards) and its ability to assess risk based on novel asset-based processes that fully support cloud services and CPS, which can aid stakeholders to comparatively assess the risk of using cloud services to process data. A real-world critical infrastructure was used to compare results of the presented methodology with its current security plan.
... To assess the popularity of the methods we considered: a) if the method is provided by an agency (e.g., NIST) or standardization body (e.g., ISO), b) if the method is recognized by the relevant scientific community (with academic citations) or industry, and c) ranking in the relevant search engines (Google Scholar, Google search). To narrow the number of RA methods the following selection criteria were used, which are commonly used in the literature (Houmb 2007;Kouns et al. 2010;Macedo 2012;NATO 2008;ENISA 2006): Is the proposed approach a method or a guideline? If it is a guideline then, does it contain a proposed method to use? ...
Organizations are exposed to threats that increase the risk factor of their ICT systems. The assurance of their protection is crucial, as their reliance on information technology is a continuing challenge for both security experts and chief executives. As risk assessment could be a necessary process in an organization, one of its deliverables could be utilized in addressing threats and thus facilitate the development of a security strategy. Given the large number of heterogeneous methods and risk assessment tools that exist, comparison criteria can provide better understanding of their options and characteristics and facilitate the selection of a method that best fits an organization's needs. This article aims to address the problem of selecting an appropriate risk assessment method to assess and manage information security risks, by proposing a set of comparison criteria, grouped into four categories. Based upon them, it provides a comparison of the 10 popular risk assessment methods that could be utilized by organizations to determine the method that is more suitable for their needs. Finally, a case study is presented to demonstrate the selection of a method based on the proposed criteria.
... Risk Assessment or Risk Management methodologies can be grouped together based on various factors. According to Houmb [25], Risk Assessments can be classified into three main types: rule based, risk based (probabilistic) and judgment based. Rule based assessments are usually based on a set of standards or checklists which are used as rules that the system should comply by. ...
... Finally, industry literature and surveys (e.g. [9], [34], [58] and [57] [25]) were used to identify other methods that are in use. One thing to be noted is that most the the above literature contain surveys of risk assessment and risk management methods. ...
... The Australian/New Zealand Standard for Risk Management AS/NZS 4360:2004 [61] provides a generic framework for the process of managing risks which divides the elements of the risk assessment process into several sub-processes: "Establish the context", "Identify Risks", "Analyze Risks", "Evaluate Risks" and "Treat Risks" [25].The standard also describes two processes that should run in parallel with the risk assessment sessions as part of the Risk Management: "Monitoring and Review" and "Communicate and Consult". A flowchart describing this process can be found in Figure 3.1. ...
The technology behind information systems evolves at an exponential rate, while at the same time becoming more and more ubiquitous. This brings with it an implicit rise in the average complexity of systems as well as the number of external interactions. In order to allow a proper assessment of the security of such (sub)systems, a whole arsenal of methodologies, methods and tools have been developed in recent years. However, most security auditors commonly use a very small subset of this collection, that best suits their needs. This thesis aims at uncovering the differences and limitations of the most common Risk Assessment frameworks, the conceptual models that support them, as well as the tools that implement them. This is done in order to gain a better understanding of the applicability of each method and/or tool and suggest guidelines to picking the most suitable one.
... Risk Assessment or Risk Management methodologies can be grouped together based on various factors. According to Houmb [25], Risk Assessments can be classified into three main types: rule based, risk based (probabilistic) and judgment based. Rule based assessments are usually based on a set of standards or checklists which are used as rules that the system should comply by. ...
... Finally, industry literature and surveys (e.g. [9], [34], [58] and [57] [25]) were used to identify other methods that are in use. One thing to be noted is that most the the above literature contain surveys of risk assessment and risk management methods. ...
... The Australian/New Zealand Standard for Risk Management AS/NZS 4360:2004 [61] provides a generic framework for the process of managing risks which divides the elements of the risk assessment process into several sub-processes: "Establish the context", "Identify Risks", "Analyze Risks", "Evaluate Risks" and "Treat Risks" [25].The standard also describes two processes that should run in parallel with the risk assessment sessions as part of the Risk Management: "Monitoring and Review" and "Communicate and Consult". A flowchart describing this process can be found in Figure 3.1. ...
The technology behind information systems evolves at an exponential rate, while at the same time
becoming more and more ubiquitous. This brings with it an implicit rise in the average complexity
of systems as well as the number of external interactions. In order to allow a proper assessment of
the security of such (sub)systems, a whole arsenal of methodologies, methods and tools have been
developed in recent years. However, most security auditors commonly use a very small subset of this
collection, that best suits their needs. This thesis aims at uncovering the differences and limitations of
the most common Risk Assessment frameworks, the conceptual models that support them, as well as
the tools that implement them. This is done in order to gain a better understanding of the applicability
of each method and/or tool and suggest guidelines to picking the most suitable one.
... Houmb presents a framework for making security decisions. Her work describes a tool that supports decision makers in choosing one or a set of security solutions among alternatives [66]. The approach is called the Aspect-Oriented Risk Driven Development (AORDD) Framework and combines Aspect-Oriented Modeling (AOM) ...
... However, the feasibility of these approaches is questionable as it is unclear where data used in the analysis come from. The same issue with the origins of data stands for the AORDD framework[66]: it is not clear how empirical data are used for the quantitative analysis. The AHP[22] approach is not easy to implement as it requires the involvement of several experts to identify criteria and assign scores to them. ...
... The AHP[22] approach is not easy to implement as it requires the involvement of several experts to identify criteria and assign scores to them. Both the AORDD[66] and AHP approaches[22] have the ad-vantage of comparing solutions and facilitating communication. Game-theory-based and adversary-based techniques, on the contrary, do not facilitate communication as the outputs are low-level and decision makers do not necessarily have an IT security background: for example, both techniques may require the understanding of attack paths. ...
... The SecInvest decision engine is implemented as a Bayesian Belief Network (BBN) topology [26], as shown inFig. 3. BBN is a powerful tool for reasoning under uncertainty and have shown effective for both assessing the safety [20, 28] and the security [22] of systems. A BBN is a directed acyclic graph (DAG) together with an associated set of probability tables, where the probability tables specify the relations between the various input variables in terms of conditional probability expressions. ...
... The same is the case for most variables (observable nodes) inFig. 4. For more information about SecInvest, see Houmb [22] which describes its predecessor, i.e., the AORDD framework and security solution trade-off analysis. ...
Making well-founded security investment decisions is hard: several alternatives may need to be considered, the alternatives' space is often diffuse, and many decision parameters that are traded-off are uncertain or incomplete. We cope with these challenges by proposing a method that supports decision makers in the process of making well-founded and balanced security investment decisions. The method has two fundamental ingredients, staging and learning, that fit into a continuous decision cycle. The method takes advantage of Real Options thinking, not only to select a decision option, but also to compound it with other options in following decision iterations, after reflection on the decision alternatives previously implemented. Additionally, our method is supported by the SecInvest tool for trade-off analysis that considers decision parameters, including cost, risks, context (such as time-to-market and B2B trust), and expected benefits when evaluating the various decision alternatives. The output of the tool, a fitness score for each decision alternative, allows to compare the evaluations of the decision makers involved as well as to include learning and consequent adjustments of decision parameters. We demonstrate the method using a three decision alternatives example.
... Details of evidence types and propagation algorithms can be found in Jensen (1996), Pourret et al. (2008) or the HUGIN TM user guide (Hugin, 2007a, b). Descriptions of how to evaluate knowledge, experience and recommendations of information sources such as experts, can be found in Ray and Chakraborty (2005) and Houmb (2007). Note that the CVSS rating values given in Table 1 are used as the prior probability distributions, as described in Section 4.3. ...
... Future work will also include a series of practical field studies using the model at our industrial partners. Besides this, we also plan to merge the CVSS Risk Level Estimation Model into a security solution trade-off analysis (Houmb, 2007) as part of a larger security budgeting support tool that we are building. An attempt to do this is currently in progress as part of a field study. ...
Modern society relies on and profits from well-balanced computerized systems. Each of these systems has a core mission such as the correct and safe operation of safety critical systems or innovative and effective operation of e-commerce systems. It might be said that the success of these systems depends on their mission. Although the concept of “well-balanced” has a slightly different meaning for each of these two categories of systems, both have to meet customer needs, deliver capabilities and functions according to expectations and generate revenue to sustain today’s highly competitive market. Tighter financial constraints are forcing safety critical systems away from dedicated and expensive communication regimes, such as the ownership and operation of dedicated communication links, towards reliance on third parties and standardized means of communication. As a consequence, knowledge about their internal structures and operations is more widely and publicly available and this can make them more prone to security attacks. These systems are, therefore, moving towards a remotely exploitable environment and the risks associated with this must be controlled.
... Details of evidence types and propagation algorithms can be found in Jensen (1996), Pourret et al. (2008) or the HUGIN TM user guide (Hugin, 2007a, b). Descriptions of how to evaluate knowledge, experience and recommendations of information sources such as experts, can be found in Ray and Chakraborty (2005) and Houmb (2007). Note that the CVSS rating values given in Table 1 are used as the prior probability distributions, as described in Section 4.3. ...
... Future work will also include a series of practical field studies using the model at our industrial partners. Besides this, we also plan to merge the CVSS Risk Level Estimation Model into a security solution trade-off analysis (Houmb, 2007) as part of a larger security budgeting support tool that we are building. An attempt to do this is currently in progress as part of a field study. ...
Developers of critical systems need to address several quality properties, such as security and performance, in the early stages of the development cycle to ensure that the system under construction meets its requirements. Sometimes quality properties conflict with each other and/or with the system's functionalities, so the developers need to make trade-off decisions. Unreasonable costs, added developer resources and tight project schedules may be other reasons for having to trade-off between alternative solutions. In the context of Model-Driven Development, the analysis of quality properties is done by transforming software design models into different analysis models based on various formalisms, which are then analyzed with existing tools. A major challenge is to integrate different models, transformations and tools into a consistent and coherent process. In this chapter the authors present a methodology called Aspect-Oriented Risk Driven Development (AORDD), which integrates the analysis of two quality properties, namely security and performance, into the development process of critical systems. Each quality property is analyzed separately, and then all results are input to a trade-off analysis that identifies conflicts between the properties. Trade-off analysis aims at supporting designers and developers in choosing the security and performance solutions that best fit their needs, without introducing unacceptable development delays or costs. The security analysis consists of identifying the assets (critical components, such as sensitive information) of an application and the attacks that can compromise these assets, and formally analyzing whether these attacks are actually possible using the tools UML2Alloy and Alloy Analyzer. If the system is vulnerable to the attack, some security solution, modeled as an aspect according to Aspect Oriented Modeling (AOM), is added to the system. The analysis must be repeated to ensure that the resulting system is secure. Performance analysis is accomplished using Layered Queuing Network (LQN) models. Annotated system models are transformed into LQN models and performance experiments are executed on them. If the performance results are unacceptable, the system design has to be changed and the analysis repeated. Finally, the results of the security and performance analysis are input to the system quality property trade-off analysis, which is implemented as a Bayesian Belief Network (BBN) topology, and which also takes as input external parameters, such as time to market and budget constraints. The results of the trade-off analysis help identify how well a particular design meets performance, security and other project goals, which, in turn, can guide the developer in making informed design decisions. The approach is illustrated using a transactional web e-commerce benchmark (TPC-W) originally developed by the Transaction Processing Performance Council.
... Jonsson and Olovsson[21]look at the problem in a more practical way by analyzing attacker behavior through controlled experiments. Houmb et al.[22]and Houmb[23]build on these works emphasizing the importance of quantitative measures of security and the role of security trade-off analysis. The goal is to assist decision makers in choosing among alternative security solutions, based on security, cost, resources, time-to-market and other trade-off parameters, and to reduce time, cost and effort in security evaluations. ...
... The goal is to assist decision makers in choosing among alternative security solutions, based on security, cost, resources, time-to-market and other trade-off parameters, and to reduce time, cost and effort in security evaluations. The current work draws upon Houmb's earlier works[22,23]. Security management standards aid in the overall management of security in an organization. ...
Security is not merely about technical solutions and patching vulnerabilities. Security is about trade-offs and adhering to
realistic security needs, employed to support core business processes. Also, modern systems are subject to a highly competitive
market, often demanding rapid development cycles, short life-time, short time-to-market, and small budgets. Security evaluation
standards, such as ISO 14508 Common Criteria and ISO/IEC 27002, are not adequate for evaluating the security of many modern
systems for resource limitations, time-to-market, and other constraints. Towards this end, we propose an alternative time
and cost effective approach for evaluating the security level of a security solution, system or part thereof. Our approach
relies on collecting information from different sources, who are trusted to varying degrees, and on using a trust measure
to aggregate available information when deriving security level. Our approach is quantitative and implemented as a Bayesian
Belief Network (BBN) topology, allowing us to reason over uncertain information and seemingly aggregating disparate information.
We illustrate our approach by deriving the security level of two alternative Denial of Service (DoS) solutions. Our approach
can also be used in the context of security solution trade-off analysis.
... The risk level estimation model is limited to the overall system perspective, called ToE in this paper, and do not discuss the financial aspects involved. Details on the financial aspects and how operational security relates to strategic or enterprise security are in Houmb (2007) [2]. A ToE can be any part of a system/network or the whole system/network and is used to denote the object in need of or being managed. ...
... The risk level estimation model is limited to the overall system perspective, called ToE in this paper, and do not discuss the financial aspects involved. Details on the financial aspects and how operational security relates to strategic or enterprise security are in Houmb (2007) [2]. A ToE can be any part of a system/network or the whole system/network and is used to denote the object in need of or being managed. ...
... Experts (from NIST) analyse each known vulnerability (called CVE 2 ) and assign qualitative values to each attribute. 2 Common Vulnerabilities and Exposures [18] For the base metrics they assign a rating (i.e. a qualitative value) for each attribute mentioned above. Based on these qualitative values, the CVSS system calculates scores using the pre-defined rating scales shown in Tables I and II. ...
Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost- benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.
