Using security metrics coupled with predictive modeling and simulation to assess security processes
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Semantics for structured systems modelling and simulation
Proceedings of the 3rd International ICST Conference on Simulation Tools and Techniques
Estimating risk levels for vulnerability categories using CVSS
International Journal of Internet Technology and Secured Transactions
Cost-benefit analysis of digital rights management products using stochastic models
Proceedings of the 46th Annual Simulation Symposium
A model for quantitative security measurement and prioritisation of vulnerability mitigation
International Journal of Security and Networks
| Hi-index | 0.00 |
In this paper we present a novel approach of using mathematical models and stochastic simulations to guide and inform security investment and policy change decisions. In particular, we investigate vulnerability management policies, and explore how effective standard patch management and emergency escalation based policies are, and how they can be combined with earlier, pre-patch mitigation measures to reduce the potential exposure window. The paper describes the model we constructed to represent typical vulnerability management processes in large organizations, which captures the external threat environment and the internal security processes and decision points. We also present the results from the experimental simulations, and show how changes in security solutions and policies, such as speeding up patch deployment and investing in early mitigation measures, affect the overall exposure window in terms of the time it takes to reduce the potential risk. We believe that this type of mathematical modelling and simulation-based approach provides a novel and useful way of considering security investment decisions, which is quite distinct from traditional risk analysis.