Estimating ToE Risk Level using CVSS

S.H. Houmb, V. Nunes Leal Franqueira

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

23 Citations (Scopus)
72 Downloads (Pure)

Abstract

Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.
Original languageUndefined
Title of host publicationProceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference)
Place of PublicationLos Alamitos
PublisherIEEE Computer Society Press
Pages718-725
Number of pages8
ISBN (Print)978-0-7695-3564-7
DOIs
Publication statusPublished - 16 Mar 2009
Event4th International Conference on Availability, Reliability and Security, ARES 2009: The International Dependability Conference - Fukuoka Institute of Technology (FIT), Fukuoka, Japan
Duration: 16 Mar 200919 Mar 2009
Conference number: 4

Publication series

NameIEEE Conference Proceedings
PublisherIEEE Computer Society
ISSN (Print)1077-2626
ISSN (Electronic)1941-0506

Workshop

Workshop4th International Conference on Availability, Reliability and Security, ARES 2009
Abbreviated titleARES
CountryJapan
CityFukuoka
Period16/03/0919/03/09

Keywords

  • IS-SECURITY
  • IR-65220
  • METIS-263703
  • EWI-14617

Cite this

Houmb, S. H., & Nunes Leal Franqueira, V. (2009). Estimating ToE Risk Level using CVSS. In Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference) (pp. 718-725). (IEEE Conference Proceedings). Los Alamitos: IEEE Computer Society Press. https://doi.org/10.1109/ARES.2009.151
Houmb, S.H. ; Nunes Leal Franqueira, V. / Estimating ToE Risk Level using CVSS. Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference). Los Alamitos : IEEE Computer Society Press, 2009. pp. 718-725 (IEEE Conference Proceedings).
@inproceedings{565f91192b994f5baa12e47c00d4facd,
title = "Estimating ToE Risk Level using CVSS",
abstract = "Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.",
keywords = "IS-SECURITY, IR-65220, METIS-263703, EWI-14617",
author = "S.H. Houmb and {Nunes Leal Franqueira}, V.",
note = "The Proceedings is not printed yet, but the camera-ready version of the paper is uploaded for print.",
year = "2009",
month = "3",
day = "16",
doi = "10.1109/ARES.2009.151",
language = "Undefined",
isbn = "978-0-7695-3564-7",
series = "IEEE Conference Proceedings",
publisher = "IEEE Computer Society Press",
pages = "718--725",
booktitle = "Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference)",

}

Houmb, SH & Nunes Leal Franqueira, V 2009, Estimating ToE Risk Level using CVSS. in Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference). IEEE Conference Proceedings, IEEE Computer Society Press, Los Alamitos, pp. 718-725, 4th International Conference on Availability, Reliability and Security, ARES 2009, Fukuoka, Japan, 16/03/09. https://doi.org/10.1109/ARES.2009.151

Estimating ToE Risk Level using CVSS. / Houmb, S.H.; Nunes Leal Franqueira, V.

Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference). Los Alamitos : IEEE Computer Society Press, 2009. p. 718-725 (IEEE Conference Proceedings).

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Estimating ToE Risk Level using CVSS

AU - Houmb, S.H.

AU - Nunes Leal Franqueira, V.

N1 - The Proceedings is not printed yet, but the camera-ready version of the paper is uploaded for print.

PY - 2009/3/16

Y1 - 2009/3/16

N2 - Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.

AB - Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.

KW - IS-SECURITY

KW - IR-65220

KW - METIS-263703

KW - EWI-14617

U2 - 10.1109/ARES.2009.151

DO - 10.1109/ARES.2009.151

M3 - Conference contribution

SN - 978-0-7695-3564-7

T3 - IEEE Conference Proceedings

SP - 718

EP - 725

BT - Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference)

PB - IEEE Computer Society Press

CY - Los Alamitos

ER -

Houmb SH, Nunes Leal Franqueira V. Estimating ToE Risk Level using CVSS. In Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference). Los Alamitos: IEEE Computer Society Press. 2009. p. 718-725. (IEEE Conference Proceedings). https://doi.org/10.1109/ARES.2009.151