User Tools

Site Tools


security_economics

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

security_economics [2018/11/26 00:38]
fabio.massacci@unitn.it
security_economics [2018/11/26 00:42] (current)
fabio.massacci@unitn.it [Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data]
Line 24: Line 24:
 For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors.
  
-In our {{allodi-risa-17.pdf|Risk Analysis paper}}. +In our {{allodi-risa-17.pdf|Risk Analysis paper}} we show that it is possible to compute a quantitative estimation of the success of attack likelihood. Our measure is generated by technical data that all medium-large organizations already have in their infrastructure: vulnerability assessment tools are mandated to most firms processing credit cards, and periodic auditing for compliance requires VA reports to be handed to the assessor. Similarly, IDS and Firewall technologies are widely adopted
  
 +This data is currently often used in an unstructured way to either generate automatic reports on vulnerability severity, or to try to traceback known incidents. Our methodology proposes to correlate this data to measure on one side the exposure of a system to potential attacks, and on the other the opportunities that a successful attack has to breach a vulnerable system and escalate to the infrastructure. By enabling users in performing objective estimations of risk, our methodology makes a step forward toward the establishment of comparable measures for security
 ==== Cyber-Insurance: good for your company, bad for your country? ==== ==== Cyber-Insurance: good for your company, bad for your country? ====
  
security_economics.txt · Last modified: 2018/11/26 00:42 by fabio.massacci@unitn.it