Analyses of Two End-User Software Vulnerability Exposure Metrics

The risk due to software vulnerabilities will not be completely resolved in the near future. Instead, putting reliable vulnerability measures into the hands of end-users so that informed decisions can be made regarding the relative security exposure incurred by choosing one software package over another is of importance. To that end, we propose two new security metrics, average active vulnerabilities (AAV) and vulnerability free days (VFD). These metrics capture both the speed with which new vulnerabilities are reported to vendors and the rate at which software vendors fix them. We then examine how the metrics are computed using currently available datasets and demonstrate their estimation in a simulation experiment using four different browsers as a case study. Finally, we discuss how the metrics may be used by the various stakeholders of software and to software usage decisions

DETERMINING VULNERABILITY USING ATTACK GRAPHS: AN EXPANSION OF THE CURRENT FAIR MODEL

Factor Analysis of Information Risk (FAIR) provides a framework for measuring and understanding factors that contribute to information risk. One such factor is FAIR Vulnerability; the probability that an event involving a threat will result in a loss. An asset is vulnerable if a threat actor’s Threat Capability is higher than the Resistance Strength of the asset. In FAIR scenarios, Resistance Strength is currently estimated for entire assets, oversimplifying assets containing individual systems and the surrounding environment. This research explores enhancing estimations of FAIR Vulnerability by modeling interactions between threat actors and assets through attack graphs. By breaking down the scenario into more representative and quantifiable parts, more detailed and precise analyses are possible

Improved Methods and Metrics for Assessing Impacts, Vulnerability and Adaptation

Over the course of the MEDIATION project, Work Package 2 was tasked with "develop[ing] and apply[ing] a toolbox, defined as a set of models, methods, and metrics for the assessment of impacts and vulnerability and adaptation options." As highlighted in Deliverable 2.2, many frameworks and methods for assessing adaptation have been developed over the last 20 years, yet these often have not been adopted in the context of formal adaptation policies in Europe and elsewhere. Reasons and problems include: (i) a fragmentation of methods and tools, (ii) a lack of linkages to actual policy needs, (iii) a lack of understanding and communication of uncertainties, (iv) the often expert-based nature and complexity of methods used versus actual user demands, and (v) a lack of consistent data, definitions and metrics. Deliverable 2.2 put forward a rough prototype for a toolbox of methods for studying impacts, vulnerability, and adaptation. In this deliverable, we discuss subsequent work on the MEDIATION toolbox, and report on application and testing of the improved methods and metrics in selected key European sectors and regions. We present feedback and improvement to methods and metrics based on input from case studies, stakeholders, and focus groups, as well as an overview of case study work and contribution to an improved MEDIATION toolbox. This input resulted in a number of conclusions relating to the development and use of methods and metrics, reducing uncertainty in CCIAV, and led to a number of changes, including the creation of a novel typology for classifying methods and models relating to CCIAV analysis. We provide an overview of the new typology, as well as the final toolbox, and summarize case study contributions towards improved methods and metrics

Coastal management and adaptation: an integrated data-driven approach

Coastal regions are some of the most exposed to environmental hazards, yet the coast is the preferred settlement site for a high percentage of the global population, and most major global cities are located on or near the coast. This research adopts a predominantly anthropocentric approach to the analysis of coastal risk and resilience. This centres on the pervasive hazards of coastal flooding and erosion. Coastal management decision-making practices are shown to be reliant on access to current and accurate information. However, constraints have been imposed on information flows between scientists, policy makers and practitioners, due to a lack of awareness and utilisation of available data sources. This research seeks to tackle this issue in evaluating how innovations in the use of data and analytics can be applied to further the application of science within decision-making processes related to coastal risk adaptation. In achieving this aim a range of research methodologies have been employed and the progression of topics covered mark a shift from themes of risk to resilience. The work focuses on a case study region of East Anglia, UK, benefiting from the input of a partner organisation, responsible for the region’s coasts: Coastal Partnership East. An initial review revealed how data can be utilised effectively within coastal decision-making practices, highlighting scope for application of advanced Big Data techniques to the analysis of coastal datasets. The process of risk evaluation has been examined in detail, and the range of possibilities afforded by open source coastal datasets were revealed. Subsequently, open source coastal terrain and bathymetric, point cloud datasets were identified for 14 sites within the case study area. These were then utilised within a practical application of a geomorphological change detection (GCD) method. This revealed how analysis of high spatial and temporal resolution point cloud data can accurately reveal and quantify physical coastal impacts. Additionally, the research reveals how data innovations can facilitate adaptation through insurance; more specifically how the use of empirical evidence in pricing of coastal flood insurance can result in both communication and distribution of risk. The various strands of knowledge generated throughout this study reveal how an extensive range of data types, sources, and advanced forms of analysis, can together allow coastal resilience assessments to be founded on empirical evidence. This research serves to demonstrate how the application of advanced data-driven analytical processes can reduce levels of uncertainty and subjectivity inherent within current coastal environmental management practices. Adoption of methods presented within this research could further the possibilities for sustainable and resilient management of the incredibly valuable environmental resource which is the coast

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

A decision support system for corporations cyber security risk management

This thesis presents a decision aiding system named C3-SEC (Contex-aware Corporative Cyber Security), developed in the context of a master program at Polytechnic Institute of Leiria, Portugal. The research dimension and the corresponding software development process that followed are presented and validated with an application scenario and case study performed at Universidad de las Fuerzas Armadas ESPE – Ecuador. C3-SEC is a decision aiding software intended to support cyber risks and cyber threats analysis of a corporative information and communications technological infrastructure. The resulting software product will help corporations Chief Information Security Officers (CISO) on cyber security risk analysis, decision-making and prevention measures for the infrastructure and information assets protection. The work is initially focused on the evaluation of the most popular and relevant tools available for risk assessment and decision making in the cyber security domain. Their properties, metrics and strategies are studied and their support for cyber security risk analysis, decision-making and prevention is assessed for the protection of organization's information assets. A contribution for cyber security experts decision support is then proposed by the means of reuse and integration of existing tools and C3-SEC software. C3-SEC extends existing tools features from the data collection and data analysis (perception) level to a full context-ware reference model. The software developed makes use of semantic level, ontology-based knowledge representation and inference supported by widely adopted standards, as well as cyber security standards (CVE, CPE, CVSS, etc.) and cyber security information data sources made available by international authorities, to share and exchange information in this domain. C3-SEC development follows a context-aware systems reference model addressing the perception, comprehension, projection and decision/action layers to create corporative scale cyber security situation awareness

DrAGON: A Framework for Computing Preferred Defense Policies from Logical Attack Graphs

Attack graphs provide formalism for modelling the vulnerabilities using a compact representation scheme. Two of the most popular attack graph representations are scenario attack graphs, and logical attack graphs. In logical attack graphs, the host machines present in the network are represented as exploit nodes, while the configurations (IDS rules, firewall policies etc.) running on them are represented as fact nodes. The actual user privileges that are possible on each of these hosts are represented as privilege nodes. Existing work provides methods to analyze logical attack graphs and compute attack paths of varying costs. In this thesis we develop a framework for analyzing the attack graph from a defender perspective. Given an acyclic logical dependency attack graph we compute defense policies that cover all known exploits that can be used by the attacker and also are preferred with respect to minimizing the impacts. In contrast to previous work on analysis of logical attack graphs where quantitative costs are assigned to the vulnerabilities (exploits), our framework allows attack graph analysis using descriptions of vulnerabilities on a qualitative scale. We develop two algorithms for computing preferred defense policies that are optimal with respect to defender preferences. Our research to the best of our knowledge is the first fully qualitative approach to analyzing these logical attack graphs and formulating defense policies based on the preferences and priorities of the defender. We provide a prototype implementation of our framework that allows logical attack graphs to be input using a simple text file (custom language), or using a GUI tool in graphical markup language (GML) format. Our implementation uses the NVD (National Vulnerability Database) as the source of CVSS impact metrics for vulnerabilities in the attack graph. Our framework generates a preferred order of defense policies using an existing preference reasoner. Preliminary experiments on various attack graphs show the correctness and efficiency of our approach