Applications of qualitative modeling to knowledge-based risk assessment studies
IEA/AIE '89 Proceedings of the 2nd international conference on Industrial and engineering applications of artificial intelligence and expert systems - Volume 1
Information systems security design methods: implications for information systems development
ACM Computing Surveys (CSUR)
NSPW '97 Proceedings of the 1997 workshop on New security paradigms
Writing Secure Code
Software Measurement: A Necessary Scientific Basis
IEEE Transactions on Software Engineering
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing vulnerabilities of information systems to security incidents
ICEC '03 Proceedings of the 5th international conference on Electronic commerce
The CORAS methodology: model-based risk assessment using UML and UP
UML and the unified process
Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Risk-based Systems Security Engineering: Stopping Attacks with Intention
IEEE Security and Privacy
Security Meter: A Practical Decision-Tree Model to Quantify Risk
IEEE Security and Privacy
Risky trust: risk-based analysis of software systems
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Hi-index | 0.00 |
In previous works [2, 4] we have introduced a formal risk assessment method and we have shown its mathematical properties. The method allows to model a system as a structured set of vulnerabilities, each one potentially depending on the others: the goal of the method is to consider the influence of the dependencies and, thus, to provide a global risk assessment. A crucial point is the use of order-based metrics to measure the exploitability of a threat: order-based metrics reduce the subjective aspects in the risk evaluation process. This work extends the previous ones by showing how to combine the risk evaluations performed by different experts whose degree of expertise may vary.