security_economics
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| security_economics [2018/11/26 00:22] – fabio.massacci@unitn.it | security_economics [2021/01/29 10:58] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 6: | Line 6: | ||
| * On the fairness of seucirty taxes in presence on interdependence | * On the fairness of seucirty taxes in presence on interdependence | ||
| + | * Estimating quantitative likelihood | ||
| * Cyber-Insurance: | * Cyber-Insurance: | ||
| - | * The Work Averse Attacker Model | + | * The Work Averse Attacker Model (A different way to consider attackers) |
| * Black markets actually work! | * Black markets actually work! | ||
| * Risk vs Rule base regulation: what is the best way to regulate? | * Risk vs Rule base regulation: what is the best way to regulate? | ||
| Line 15: | Line 16: | ||
| See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
| + | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === | ||
| + | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, | ||
| + | * //Risk = Impact · Likelihood// | ||
| + | |||
| + | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | ||
| + | |||
| + | In our {{allodi-risa-17.pdf|Risk Analysis paper}} we show that it is possible to compute a quantitative estimation of the success of attack likelihood. Our measure is generated by technical data that all medium-large organizations already have in their infrastructure: | ||
| + | |||
| + | This data is currently often used in an unstructured way to either generate automatic reports on vulnerability severity, or to try to traceback known incidents. Our methodology proposes to correlate this data to measure on one side the exposure of a system to potential attacks, and on the other the opportunities that a successful attack has to breach a vulnerable system and escalate to the infrastructure. By enabling users in performing objective estimations of risk, our methodology makes a step forward toward the establishment of comparable measures for security | ||
| ==== Cyber-Insurance: | ==== Cyber-Insurance: | ||
| Line 62: | Line 72: | ||
| If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{: | If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{: | ||
| - | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https:// | + | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https:// |
| Line 215: | Line 225: | ||
| ===== Publications ===== | ===== Publications ===== | ||
| + | * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http:// | ||
| * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https:// | * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https:// | ||
| * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http:// | * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http:// | ||
security_economics.1543188161.txt.gz · Last modified: (external edit)