A Move in the Security Measurement Stalemate: Elo-Style Ratings to Quantify Vulnerability

Wolter Pieters, S. van der Ven, C. Probst

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    9 Citations (Scopus)
    169 Downloads (Pure)

    Abstract

    One of the big problems of risk assessment in information security is the quantification of risk-related properties, such as vulnerability. Vulnerability expresses the likelihood that a threat agent acting against an asset will cause impact, for example, the likelihood that an attacker will be able to crack a password or break into a system. This likelihood depends on the capabilities of the threat agent and the strength of the controls in place. In this paper, we provide a framework for estimating these three variables based on the Elo rating used for chess players. This framework re-interprets security from the field of Item Response Theory. By observing the success of threat agents against assets, one can rate the strength of threats and controls, and predict the vulnerability of systems to particular threats. The application of Item Response Theory to the field of risk is new, but analogous to its application to children solving math problems. It provides an innovative and sound way to quantify vulnerability in models of (information) security.
    Original languageUndefined
    Title of host publicationProceedings of the 2012 workshop on New security paradigms (NSPW 2012)
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Pages1-14
    Number of pages14
    ISBN (Print)978-1-4503-1794-8
    DOIs
    Publication statusPublished - 18 Sep 2012
    Event2012 New Security Paradigms Workshop, NSPW 2012 - Bertinoro, Italy
    Duration: 18 Sep 201221 Sep 2012

    Publication series

    Name
    PublisherACM

    Workshop

    Workshop2012 New Security Paradigms Workshop, NSPW 2012
    Abbreviated titleNSPW
    CountryItaly
    CityBertinoro
    Period18/09/1221/09/12

    Keywords

    • SCS-Cybersecurity
    • EWI-22999
    • Control strength
    • Vulnerability
    • Item Response Theory
    • IR-84257
    • Security Metrics
    • Threat capability
    • rating systems
    • Elo
    • METIS-296446
    • RISK ASSESSMENT

    Cite this

    Pieters, W., van der Ven, S., & Probst, C. (2012). A Move in the Security Measurement Stalemate: Elo-Style Ratings to Quantify Vulnerability. In Proceedings of the 2012 workshop on New security paradigms (NSPW 2012) (pp. 1-14). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2413296.2413298