Improving residual risk management through the use of security metrics

Introduction Reported security breaches over the last 3 years suggest that a large number of security procedures are not currently operating at full effectiveness. Security breaches have ranged from the loss of personal details of 25 million UK citizens to the disclosure of national security information assets. It is highly likely that the organisations involved in these security breaches performed risk assessments for their information assets and implemented a range of security controls to manage these risks, leading to the resulting residual risks being within acceptable risk appetites. But as investigations into security breaches have shown, these controls are often ignored, bypassed or incorrectly implemented [ICO07]. Organisations may not currently understand how ineffectively their security controls are being managed, resulting in higher levels of risk exposure through controls operating at below optimal effectiveness. By introducing real world effectiveness measurements into an organisation’s risk management activities, organisations can improve their understanding of their current risk exposure. Research We have found that a number of organisational issues exist with the use of security metrics in measuring control effectiveness, which can be summarised as follows: * Metrics that measure effectiveness can be difficult to define. * Resulting measurements can be difficult to interpret by non-security professionals. * Effectiveness metrics cannot be easily compared to allow benchmarking of an organisation’s performance. Our research has concluded that there is a gap in current IT governance models and management best practices for the definition of how to measure the effectiveness of security controls. While these standards do recognise the requirement for continual assessment of operational effectiveness, the definition of these measurements and how to interpret the results are left to the organisation. Information Security Effectiveness Framework (ISEF) This project introduces ISEF, a framework that assists organisations in defining, visualising and comparing security metrics. The framework uses the concept of grouping controls based on their implementation type and temporal objectives to present common characteristics that can be measured. The framework uses the relationship between controls and risks to align security metrics against organisational risk, and visualises these to support the direction of remedial efforts. The ISEF is designed to complement current IT governance models and standards such as COBIT and ISO27002. This is provided by its alignment with these ‘what’ should be done models and standards by providing the ‘how’. The ISEF provides a method of comparing security metrics based on the financial stock markets indices. This allows the comparison of security control management between organisations and allows the organisations to benchmark themselves against peers without revealing specific security control information. Conclusion A case study using ISEF has shown that the framework provides a method for defining metrics in order to obtain real world data to modify current residual risk levels. For organisations with a risk management approach, the framework can visualise effectiveness in the context of risk allowing resources to be focused on improving security management where it will make the greatest risk reduction

A Novel Approach to Determine Software Security Level using Bayes Classifier via Static Code Metrics

Technological developments are increasing day by day and software products are growing in an uncontrolled way. This leads to the development of applications which do not comply with principles of design. Software which has not passed security testing may put the end user into danger. During the processes of error detection and verification of developed software, static and dynamic analysis may be used. Static code analysis provides analysis in different categories while coding without code compile. Source code metrics are also within these categories. Code metrics evaluate software quality, level of risk, and interchangeability by analysing software based on those metrics. In this study, we will describe our web-based application which is developed to determine the level of security in software. In this scope, software's metric calculation method will be explained. The scoring system we used to determine the security level calculation will be explained, taking into account metric thresholds that are acceptable in the literature. Bayes Classifier Method, distinguishing risks in the project files with the analysis of uploaded sample software files, will be described. Finally, objectives of this analysis method and planned activities will be explained

COPSEC: Compliance-Oriented IoT Security and Privacy Evaluation Framework

A rising number of Internet of Things (IoT) security and privacy threats have been documented over the last few years. However, IoT devices' domain designs are out-of-date and do not take into consideration the changing dangers associated with them. In this paper, we present COPSEC, a novel framework for evaluating whether IoT devices are compliant with security guidelines and privacy regulations. We extract metrics from existing guidelines and regulations and test them on a set of devices by performing hundreds of automated experiments. Our results indicate not only that these devices are not compliant with basic security guidelines, but also that their data collection operations may introduce privacy risks for the users that adopt them

Estimating Impact and Frequency of Risks to Safety and Mission Critical Systems Using CVSS

Many safety and mission critical systems depend on the correct and secure operation of both supportive and core software systems. E.g., both the safety of personnel and the effective execution of core missions on an oil platform depend on the correct recording storing, transfer and interpretation of data, such as that for the Logging While Drilling (LWD) and Measurement While Drilling (MWD) subsystems. Here, data is recorded on site, packaged and then transferred to an on-shore operational centre. Today, the data is transferred on dedicated communication channels to ensure a secure and safe transfer, free from deliberately and accidental faults. However, as the cost control is ever more important some of the transfer will be over remotely accessible infrastructure in the future. Thus, communication will be prone to known security vulnerabilities exploitable by outsiders. This paper presents a model that estimates risk level of known vulnerabilities as a combination of frequency and impact estimates derived from the Common Vulnerability Scoring System (CVSS). The model is implemented as a Bayesian Belief Network (BBN)

Estimating ToE Risk Level using CVSS

Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Code Metrics For Predicting Risk Levels of Android Applications

Android applications pose security and privacy risks for end-users. Early prediction of risk levels that are associated with Android applications can help Android developers is releasing less risky applications to end-users. Researchers have showed how code metrics can be used as early predictors of failure prone software components. Whether or not code metrics can be used to predict risk levels of Android applications requires systematic exploration. The goal of this paper is to aid Android application developers in assessing the risk associated with developed Android applications by identifying code metrics that can be used as predictors to predict two levels of risk for Android applications. In this exploratory research study the author has investigated if code metrics can be used to predict two levels of risk for Android applications. The author has used a dataset of 4416 Android applications that also included the applications\u27 21 code metrics. By applying logistic regression, the author observes two of the 21 code metrics can predict risk levels significantly. These code metrics are functional complexity and number of directories. Empirical findings from this exploratory study suggest that with the use of proper prediction techniques, code metrics might be used as predictors for Android risk scores successfully

Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

Methodologies to develop quantitative risk evaluation metrics

The goal of this work is to advance a new methodology to measure a severity cost for each host using the Common Vulnerability Scoring System (CVSS) based on base, temporal and environmental metrics by combining related sub-scores to produce a unique severity cost by modeling the problem's parameters in to a mathematical framework. We build our own CVSS Calculator using our equations to simplify the calculations of the vulnerabilities scores and to benchmark with other models. We design and develop a new approach to represent the cost assigned to each host by dividing the scores of the vulnerabilities to two main levels of privileges, user and root, and we classify these levels into operational levels to identify and calculate the severity cost of multi steps vulnerabilities. Finally we implement our framework on a simple network, using Nessus scanner as tool to discover known vulnerabilities and to implement the results to build and represent our cost centric attack graph