Quantitative software security risk assessment model

Authors:
Idongesit Mkpong-Ruffin;David Umphress;John Hamilton;Juan Gilbert
Affiliations:
Auburn University, Auburn, AL;Auburn University, Auburn, AL;Auburn University, Auburn, AL;Auburn University, Auburn, AL
Venue:
Proceedings of the 2007 ACM workshop on Quality of protection
Year:
2007

Citing 10
Cited 1

Artificial Neural Networks: A Tutorial

Computer - Special issue: neural computing: companion issue to Spring 1996 IEEE Computational Science & Engineering
A 'Crystal Ball' for Software Liability

Computer
Using Neural Networks in Reliability Prediction

IEEE Software
An Enhanced Neural Network Technique for Software Risk Analysis

IEEE Transactions on Software Engineering
Bacon Ice Cream: The Best Mix of Proactive and Reactive Security?

IEEE Security and Privacy
The CORAS methodology: model-based risk assessment using UML and UP

UML and the unified process
Secure Systems Development with UML

Secure Systems Development with UML
Processes for Producing Secure Software: Summary of US National Cybersecurity Summit Subgroup Report

IEEE Security and Privacy
Risk Analysis in Software Design

IEEE Security and Privacy
Software Security: Building Security In

Software Security: Building Security In

Enabling the adoption of aspects - testing aspects: a risk model, fault model and patterns

Proceedings of the 8th ACM international conference on Aspect-oriented software development

Quantified Score

Hi-index	0.00

Visualization

Abstract

Risk analysis is a process for considering possible risks and determining which are the most significant for any particular effort. Determining which risks to address and the optimum strategy for mitigating said risks is often an intuitive and qualitative process. An objective view of the risks inherent in a development effort requires a quantitative risk model. Quantitative risk models used in determining which risk factors to focus on, tend to use a traditional approach of annualized loss expectancy (ALE). This research uses empirical data that reflects the security posture of each vulnerability to calculate Loss Expectancy; a risk impact estimator. Data from open source vulnerability databases and results of predicted threat models are used as input to the risk model. Security factors that take into account the innate characteristics of each vulnerability are incorporated into the calculation of the risk model; resulting in an empirical assessment of the potential threats to a development effort based on the risk metric calculation.