Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two‐stage attacks whereby the attacker first breaches an Internet‐facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of “weaponized” vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach.

Security Events and Vulnerability Data for Cybersecurity Risk Estimation / Allodi, L.; Massacci, F.. - In: RISK ANALYSIS. - ISSN 0272-4332. - STAMPA. - 37:8(2017), pp. 1606-1627. [10.1111/risa.12864]

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Allodi L.;Massacci F.
2017

Abstract

Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two‐stage attacks whereby the attacker first breaches an Internet‐facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of “weaponized” vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach.
8
Allodi, L.; Massacci, F.
Security Events and Vulnerability Data for Cybersecurity Risk Estimation / Allodi, L.; Massacci, F.. - In: RISK ANALYSIS. - ISSN 0272-4332. - STAMPA. - 37:8(2017), pp. 1606-1627. [10.1111/risa.12864]
File in questo prodotto:
File Dimensione Formato  
Risk analysis.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 805.39 kB
Formato Adobe PDF
805.39 kB Adobe PDF   Visualizza/Apri
allodi-risa-17.pdf

Solo gestori archivio

Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 625.83 kB
Formato Adobe PDF
625.83 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11572/197812
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 40
  • ???jsp.display-item.citation.isi??? 33
social impact