This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
security_economics [2017/06/27 19:32] fabio.massacci@unitn.it [People] |
security_economics [2018/11/26 00:34] fabio.massacci@unitn.it [Beyond 1-5 Risk Matrices: quantitative likelihood] |
||
---|---|---|---|
Line 5: | Line 5: | ||
+ | * On the fairness of seucirty taxes in presence on interdependence | ||
+ | * Estimating quantitative likelihood | ||
* Cyber-Insurance: good for your company, bad for your country? | * Cyber-Insurance: good for your company, bad for your country? | ||
- | * The Work Averse Attacker Model | + | * The Work Averse Attacker Model (A different way to consider attackers) |
* Black markets actually work! | * Black markets actually work! | ||
* Risk vs Rule base regulation: what is the best way to regulate? | * Risk vs Rule base regulation: what is the best way to regulate? | ||
Line 13: | Line 15: | ||
See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
+ | |||
+ | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === | ||
+ | |||
+ | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, etc.) but at the end of the day they all ultimately collapse to the intuitive relation | ||
+ | |||
+ | * //Risk = Impact · Likelihood// | ||
+ | |||
+ | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. Table III reports a simple example of a 3x3 risk matrix, where the interaction between the rare, frequent, certain likelihood levels and the minor, severe, critical consequence levels, results in a final 3-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | ||
+ | |||
==== Cyber-Insurance: good for your company, bad for your country? ==== | ==== Cyber-Insurance: good for your company, bad for your country? ==== | ||
Line 59: | Line 70: | ||
If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | ||
- | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (COmmon Vulnerability Scoring System) v3 world standard. | + | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (Common Vulnerability Scoring System) v3 world standard. |