A Method for Estimating the Financial Impact of Cyber Information Security Breaches Utilizing the Common Vulnerability Scoring System and Annual Loss Expectancy

Information security is relatively new field that is experiencing rapid growth in terms of malicious attack frequency and the amount of capital that firms must spend on attack defense. This rise in security expenditures has prompted corporate leadership teams to scrutinize corporate security budgets. Information security risk, and the related financial impact, is not as easily calculated as other traditional sources of enterprise risk. This research provides one method by which a firm may calculate the likelihood of a successful cyber security attack and the resulting financial impacts. The method incorporates annual loss expectancy and cost-benefit, which are tools familiar to most mid-level managers responsible for budget creation

A risk index model for security incident prioritisation

With thousands of incidents identified by security appliances every day, the process of distinguishing which incidents are important and which are trivial is complicated. This paper proposes an incident prioritisation model, the Risk Index Model (RIM), which is based on risk assessment and the Analytic Hierarchy Process (AHP). The model uses indicators, such as criticality, maintainability, replaceability, and dependability as decision factors to calculate incidents’ risk index. The RIM was validated using the MIT DARPA LLDOS 1.0 dataset, and the results were compared against the combined priorities of the Common Vulnerability Scoring System (CVSS) v2 and Snort Priority. The experimental results have shown that 100% of incidents could be rated with RIM, compared to only 17.23% with CVSS. In addition, this study also improves the limitation of group priority in the Snort Priority (e.g. high, medium and low priority) by quantitatively ranking, sorting and listing incidents according to their risk index. The proposed study has also investigated the effect of applying weighted indicators at the calculation of the risk index, as well as the effect of calculating them dynamically. The experiments have shown significant changes in the resultant risk index as well as some of the top priority rankings

HIPSTER Project - State of the Art:Technical Report

Health IoT (HIoT) software offers thorny and complex security, privacy and safeguarding (SPS) problems and requirements, with huge potential impact. The HIPSTER project aims to help development teams in the Small-to-Medium Enterprise community, incorporating background information from cyber threat and risk intelligence to create a cost-effective intervention to support decision making around such threats and requirements. This report outlines the approach we plan to use and explores the academic ‘state of the art’ literature around the project. It concludes that the areas of novelty for the project are in finding ways to make risk data meaningful and palatable for software development teams; and in finding objective sources of such security and privacy information for this domain. To support readers in using the literature referenced, all citations and bibliography entries in this document have hyperlinks to the corresponding sources

Usability based risk assessment model for sotware development process

Software usability is an important factor in ensuring the development of quality and usable software. Ignorance, unawareness and failure to address usability during the software development process lead to poor quality software that is associated with potential usability risks. Risk management can be used to assess and control these usability risks. However, currently knowledge on usability risks is still insufficient and model to assess these risks is also lacking, leading to ignorance in managing usability risks in the software development lifecycle process (SDLC). This thesis proposes to develop a new Usability Risk Assessment Model to assessment of usability risks during the SDLC. Initially, elements of the Usability Risk Assessment Model were identified using Systematic Literature Review (SLR) whereby five major elements, namely, Risk Identification, Risk Analysis, Risk Prioritization, Risk Classification and Risk Mitigation were included in the model. Subsequently, feedback from 270 respondents of a survey questionnaire was utilized to identify 38 possible usability risk factors, which were then used to define 42 potential usability risks. These usability risks were used as keywords in identifying 85 initial usability vulnerabilities from the literature, which were grouped into four main categories that influence software development outcomes: Institutional Context, Software Project Content, People and Action, and Development Processes. The above usability risks and their vulnerabilities were then validated by four selected experts from the Public Sector. After validation, a total of 88 distinct usability vulnerabilities for various usability risks were identified. The usability risks were analysed using the Delphi method, involving seven experts to identify the probability of occurrences, impact on SDLC phases and mitigation plans for usability risks. Aided by the probability of occurrences and impact on SDLC phases, the usability risk exposure level was quantified, and used to classify and prioritize usability risks on SDLC phases. A Web-based Usability Risk Assessment Tool as a proof-of-concept was developed using ASP.Net to automate detailed elements in order to support the implementation of the model. Using this tool, multiple case study evaluations on four software projects in the Public Sector of Malaysia had demonstrated an inverse relationship between number of usability risks and usability of software. Thus, with the proposed Usability Risk Assessment Model, usability risks can effectively identified, analysed, prioritized, classified and mitigated during software development process to reduce these risks in order to enhance the usability of software. The contributions of this research are; first, a validated list of potential usability risks, usability vulnerabilities and possible mitigation plans for the usability risks; second, classification and prioritization of usability risks on SDLC phases; and third, empirically evaluated the Usability Risk Assessment Model

An Expert System for Rating Vulnerabilities

Over the past few years, there has been a worrying trend of increment in number of web application intrusions. Based on reports released by reliable sources, these incidents are due to the lack of experts in performing accurate risk assessment to mitigate the risk while performing web security testing. Risk assessment is the core process in providing appropriate recommendations when dealing with vulnerabilities discovered in a web application. Therefore this research paper will be highlighting the problem of insufficient experts to guide the less experienced information security analyst in conducting effective risk assessment. The objective of this research will be to design an expert system to aid the less experienced system analyst in conducting accurate risk assessment during the absence of experts. The expert system will cover all risk rating of vulnerabilities included in the OWASP Top 10 2013, and the target user will only be the less experienced information system analyst. The methodology used in the research would be based on the expert system development life cycle model. The main activity conducted is the construction of knowledge base of the proposed expert system. Based on the results of collected knowledge and information from the internet as well as interviewing experts, the knowledge developer will construct a decision tree which aids in the development of the expert system in later phase of the research

DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements