IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v37y2017i8p1606-1627.html
   My bibliography  Save this article

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Author

Listed:
  • Luca Allodi
  • Fabio Massacci

Abstract

Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two‐stage attacks whereby the attacker first breaches an Internet‐facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of “weaponized” vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach.

Suggested Citation

  • Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
  • Handle: RePEc:wly:riskan:v:37:y:2017:i:8:p:1606-1627
    DOI: 10.1111/risa.12864
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.12864
    Download Restriction: no

    File URL: https://libkey.io/10.1111/risa.12864?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Gerald G. Brown & Louis Anthony (Tony) Cox, Jr., 2011. "How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts," Risk Analysis, John Wiley & Sons, vol. 31(2), pages 196-204, February.
    2. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    3. George E. Apostolakis, 2004. "How Useful Is Quantitative Risk Assessment?," Risk Analysis, John Wiley & Sons, vol. 24(3), pages 515-520, June.
    4. Matthew H. Henry & Yacov Y. Haimes, 2009. "A Comprehensive Network Security Risk Model for Process Control Networks," Risk Analysis, John Wiley & Sons, vol. 29(2), pages 223-248, February.
    5. Jason Merrick & Gregory S. Parnell, 2011. "A Comparative Analysis of PRA and Intelligent Adversary Methods for Counterterrorism Risk Management," Risk Analysis, John Wiley & Sons, vol. 31(9), pages 1488-1510, September.
    6. Louis Anthony (Tony)Cox, 2008. "What's Wrong with Risk Matrices?," Risk Analysis, John Wiley & Sons, vol. 28(2), pages 497-512, April.
    7. Ginger Davis & Alfredo Garcia & Weide Zhang, 2009. "Empirical Analysis of the Effects of Cyber Security Incidents," Risk Analysis, John Wiley & Sons, vol. 29(9), pages 1304-1316, September.
    8. Yacov Y. Haimes, 2009. "On the Complex Definition of Risk: A Systems‐Based Approach," Risk Analysis, John Wiley & Sons, vol. 29(12), pages 1647-1654, December.
    9. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    10. Terje Aven, 2011. "On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and Resilience," Risk Analysis, John Wiley & Sons, vol. 31(4), pages 515-522, April.
    11. Howard Kunreuther, 2002. "Risk Analysis and Risk Management in an Uncertain World," Risk Analysis, John Wiley & Sons, vol. 22(4), pages 655-664, August.
    12. Insua, Insua Rios & Rios, Jesus & Banks, David, 2009. "Adversarial Risk Analysis," Journal of the American Statistical Association, American Statistical Association, vol. 104(486), pages 841-854.
    13. Sasha Romanosky & David Hoffman & Alessandro Acquisti, 2014. "Empirical Analysis of Data Breach Litigation," Journal of Empirical Legal Studies, John Wiley & Sons, vol. 11(1), pages 74-104, March.
    14. Terje Aven & Enrico Zio, 2014. "Foundational Issues in Risk Assessment and Risk Management," Risk Analysis, John Wiley & Sons, vol. 34(7), pages 1164-1172, July.
    15. Nageswara S. V. Rao & Stephen W. Poole & Chris Y. T. Ma & Fei He & Jun Zhuang & David K. Y. Yau, 2016. "Defense of Cyber Infrastructures Against Cyber‐Physical Attacks Using Game‐Theoretic Models," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 694-710, April.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Edward J. Oughton & Daniel Ralph & Raghav Pant & Eireann Leverett & Jennifer Copic & Scott Thacker & Rabia Dada & Simon Ruffle & Michelle Tuveson & Jim W Hall, 2019. "Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber‐Physical Attacks on Electricity Distribution Infrastructure Networks," Risk Analysis, John Wiley & Sons, vol. 39(9), pages 2012-2031, September.
    2. Jaehyeon Ju & Daegon Cho & Jae Kyu Lee & Jae‐Hyeon Ahn, 2021. "Can It Clean Up Your Inbox? Evidence from South Korean Anti‐spam Legislation," Production and Operations Management, Production and Operations Management Society, vol. 30(8), pages 2636-2652, August.
    3. Tsan‐Ming Choi & James H. Lambert, 2017. "Advances in Risk Analysis with Big Data," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1435-1442, August.
    4. Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.
    5. David Rios Insua & Aitor Couce‐Vieira & Jose A. Rubio & Wolter Pieters & Katsiaryna Labunets & Daniel G. Rasines, 2021. "An Adversarial Risk Analysis Framework for Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 41(1), pages 16-36, January.
    6. Gregory Levitin & Liudong Xing & Hong‐Zhong Huang, 2019. "Security of Separated Data in Cloud Systems with Competing Attack Detection and Data Theft Processes," Risk Analysis, John Wiley & Sons, vol. 39(4), pages 846-858, April.
    7. Facchinetti, Silvia & Osmetti, Silvia Angela & Tarantola, Claudia, 2023. "Network models for cyber attacks evaluation," Socio-Economic Planning Sciences, Elsevier, vol. 87(PB).
    8. Lee, In, 2021. "Cybersecurity: Risk management framework and investment cost analysis," Business Horizons, Elsevier, vol. 64(5), pages 659-671.
    9. Alessandro Mazzoccoli, 2023. "Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis," Risks, MDPI, vol. 11(9), pages 1-14, August.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. J. S. Busby & B. Green & D. Hutchison, 2017. "Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk," Risk Analysis, John Wiley & Sons, vol. 37(7), pages 1298-1314, July.
    2. Zio, E., 2018. "The future of risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 177(C), pages 176-190.
    3. David Rios Insua & David Banks & Jesus Rios, 2016. "Modeling Opponents in Adversarial Risk Analysis," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 742-755, April.
    4. Christoph Werner & Tim Bedford & John Quigley, 2018. "Sequential Refined Partitioning for Probabilistic Dependence Assessment," Risk Analysis, John Wiley & Sons, vol. 38(12), pages 2683-2702, December.
    5. Thomas Ying‐Jeh Chen & Valerie Nicole Washington & Terje Aven & Seth David Guikema, 2020. "Review and Evaluation of the J100‐10 Risk and Resilience Management Standard for Water and Wastewater Systems," Risk Analysis, John Wiley & Sons, vol. 40(3), pages 608-623, March.
    6. Vineet M. Payyappalli & Jun Zhuang & Victor Richmond R. Jose, 2017. "Deterrence and Risk Preferences in Sequential Attacker–Defender Games with Continuous Efforts," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2229-2245, November.
    7. Dogucan Mazicioglu & Jason R. W. Merrick, 2018. "Behavioral Modeling of Adversaries with Multiple Objectives in Counterterrorism," Risk Analysis, John Wiley & Sons, vol. 38(5), pages 962-977, May.
    8. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    9. Mohammad E. Nikoofal & Mehmet Gümüs, 2015. "On the value of terrorist’s private information in a government’s defensive resource allocation problem," IISE Transactions, Taylor & Francis Journals, vol. 47(6), pages 533-555, June.
    10. Li, Yapeng & Qiao, Shun & Deng, Ye & Wu, Jun, 2019. "Stackelberg game in critical infrastructures from a network science perspective," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 521(C), pages 705-714.
    11. Nguyen, Son & Chen, Peggy Shu-Ling & Du, Yuquan & Shi, Wenming, 2019. "A quantitative risk analysis model with integrated deliberative Delphi platform for container shipping operational risks," Transportation Research Part E: Logistics and Transportation Review, Elsevier, vol. 129(C), pages 203-227.
    12. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    13. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    14. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    15. Yacov Y. Haimes, 2011. "Responses to Terje Aven's Paper: On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and Resilience," Risk Analysis, John Wiley & Sons, vol. 31(5), pages 689-692, May.
    16. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    17. Ahmed Abbasi & David Dobolyi & Anthony Vance & Fatemeh Mariam Zahedi, 2021. "The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites," Information Systems Research, INFORMS, vol. 32(2), pages 410-436, June.
    18. Javad Shafiee Neyestanak & Abbas Roozbahani, 2021. "Comprehensive Risk Assessment of Urban Wastewater Reuse in Water Supply Alternatives Using Hybrid Bayesian Network Model," Water Resources Management: An International Journal, Published for the European Water Resources Association (EWRA), Springer;European Water Resources Association (EWRA), vol. 35(14), pages 5049-5072, November.
    19. Michael Macgregor Perry & Hadi El-Amine, 2021. "Computational Efficiency in Multivariate Adversarial Risk Analysis Models," Papers 2110.12572, arXiv.org.
    20. Chaoqi, Fu & Yangjun, Gao & Jilong, Zhong & Yun, Sun & Pengtao, Zhang & Tao, Wu, 2021. "Attack-defense game for critical infrastructure considering the cascade effect," Reliability Engineering and System Safety, Elsevier, vol. 216(C).

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:37:y:2017:i:8:p:1606-1627. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.