This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
security_economics [2018/11/26 00:22] fabio.massacci@unitn.it |
security_economics [2018/11/26 00:38] fabio.massacci@unitn.it |
||
---|---|---|---|
Line 6: | Line 6: | ||
* On the fairness of seucirty taxes in presence on interdependence | * On the fairness of seucirty taxes in presence on interdependence | ||
+ | * Estimating quantitative likelihood | ||
* Cyber-Insurance: good for your company, bad for your country? | * Cyber-Insurance: good for your company, bad for your country? | ||
- | * The Work Averse Attacker Model | + | * The Work Averse Attacker Model (A different way to consider attackers) |
* Black markets actually work! | * Black markets actually work! | ||
* Risk vs Rule base regulation: what is the best way to regulate? | * Risk vs Rule base regulation: what is the best way to regulate? | ||
Line 15: | Line 16: | ||
See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
+ | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === | ||
+ | |||
+ | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, etc.) but at the end of the day they all ultimately collapse to the intuitive relation | ||
+ | |||
+ | * //Risk = Impact · Likelihood// | ||
+ | |||
+ | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | ||
+ | |||
+ | In our {{allodi-risa-17.pdf|Risk Analysis paper}}. | ||
Line 62: | Line 72: | ||
If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | ||
- | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (COmmon Vulnerability Scoring System) v3 world standard. | + | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (Common Vulnerability Scoring System) v3 world standard. |
Line 215: | Line 225: | ||
===== Publications ===== | ===== Publications ===== | ||
+ | * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}} | ||
* F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | ||
* L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} | * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} |