Differences

This shows you the differences between two versions of the page.

--- security_economics [2018/11/26 00:34] – [Beyond 1-5 Risk Matrices: quantitative likelihood] fabio.massacci@unitn.it
+++ security_economics [2021/01/29 10:58] (current) – external edit 127.0.0.1
@@ Line 22: / Line 22: @@
   * //Risk = Impact · Likelihood//
-For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. Table III reports a simple example of a 3x3 risk matrix, where the interaction between the rare, frequent, certain likelihood levels and the minor, severe, critical consequence levels, results in a final 3-level risk evaluation from low to high. This is pretty rough and well known to be full of errors.
+For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors.
+In our {{allodi-risa-17.pdf|Risk Analysis paper}} we show that it is possible to compute a quantitative estimation of the success of attack likelihood. Our measure is generated by technical data that all medium-large organizations already have in their infrastructure: vulnerability assessment tools are mandated to most firms processing credit cards, and periodic auditing for compliance requires VA reports to be handed to the assessor. Similarly, IDS and Firewall technologies are widely adopted.
+This data is currently often used in an unstructured way to either generate automatic reports on vulnerability severity, or to try to traceback known incidents. Our methodology proposes to correlate this data to measure on one side the exposure of a system to potential attacks, and on the other the opportunities that a successful attack has to breach a vulnerable system and escalate to the infrastructure. By enabling users in performing objective estimations of risk, our methodology makes a step forward toward the establishment of comparable measures for security
 ==== Cyber-Insurance: good for your company, bad for your country? ====
@@ Line 223: / Line 225: @@
 ===== Publications =====
+  * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}}
   * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}}
   * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}}