Assessing computer security vulnerability
ACM SIGOPS Operating Systems Review
A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
IEEE Transactions on Software Engineering
Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security
IEEE Transactions on Software Engineering
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
Adversary work factor as a metric for information assurance
Proceedings of the 2000 workshop on New security paradigms
Information security is information risk management
Proceedings of the 2001 workshop on New security paradigms
Security attribute evaluation method: a cost-benefit approach
Proceedings of the 24th International Conference on Software Engineering
Modeling and Quantification of Security Attributes of Software Systems
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A Trend Analysis of Exploitations
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
The IS risk analysis based on a business model
Information and Management
Risk Management using Behavior based Attack Graphs
ITCC '04 Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 2 - Volume 2
A method for modeling and quantifying the security attributes of intrusion tolerant systems
Performance Evaluation - Dependable systems and networks-performance and dependability symposium (DSN-PDS) 2002: Selected papers
Merging paradigms of survivability and security: stochastic faults and designed faults
Proceedings of the 2003 workshop on New security paradigms
Model-Based Evaluation: From Dependability to Security
IEEE Transactions on Dependable and Secure Computing
Measuring the Risk-Based Value of IT Security Solutions
IT Professional
Toward Econometric Models of the Security Risk from Remote Attack
IEEE Security and Privacy
Incentive-based modeling and inference of attacker intent, objectives, and strategies
ACM Transactions on Information and System Security (TISSEC)
Attack-Potential-Based Survivability Modeling for High-Consequence Systems
IWIA '05 Proceedings of the Third IEEE International Workshop on Information Assurance
Risky trust: risk-based analysis of software systems
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Security modeling and quantification of intrusion tolerant systems using attack-response graph
Journal of High Speed Networks
Modeling and Simulation in Security Evaluation
IEEE Security and Privacy
Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System
HICSS '06 Proceedings of the 39th Annual Hawaii International Conference on System Sciences - Volume 09
Using Stochastic Game Theory to Compute the Expected Behavior of Attackers
SAINT-W '05 Proceedings of the 2005 Symposium on Applications and the Internet Workshops
Defense trees for economic evaluation of security investments
ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
A Novel Quantitative Analysis Method for Network Survivability
IMSCCS '06 Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences - Volume 2 (IMSCCS'06) - Volume 02
Fast model-based penetration testing
WSC '04 Proceedings of the 36th conference on Winter simulation
A Game-Theoretic Approach to Stochastic Security and Dependability Evaluation
DASC '06 Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing
A weakest-adversary security metric for network configuration security analysis
Proceedings of the 2nd ACM workshop on Quality of protection
Estimating Potential IT Security Losses: An Alternative Quantitative Approach
IEEE Security and Privacy
Improving vulnerability discovery models
Proceedings of the 2007 ACM workshop on Quality of protection
AMBRA: automated model-based risk analysis
Proceedings of the 2007 ACM workshop on Quality of protection
Toward measuring network security using attack graphs
Proceedings of the 2007 ACM workshop on Quality of protection
A Quantitative Evaluation Model for Network Security
CIS '07 Proceedings of the 2007 International Conference on Computational Intelligence and Security
Vulnerability Discovery in Multi-Version Software Systems
HASE '07 Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium
Estimating a System's Mean Time-to-Compromise
IEEE Security and Privacy
Using Security Patterns to Combine Security Metrics
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Applying the fuzzy-weighted-average approach to evaluate network security systems
Computers & Mathematics with Applications
Strategic games on defense trees
FAST'06 Proceedings of the 4th international conference on Formal aspects in security and trust
Processing multi-parameter attacktrees with estimated parameter values
IWSEC'07 Proceedings of the Security 2nd international conference on Advances in information and computer security
Rational choice of security measures via multi-parameter attack trees
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
Quantifying the security of composed systems
PPAM'05 Proceedings of the 6th international conference on Parallel Processing and Applied Mathematics
A risk assessment model for enterprise network security
ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing
Information security risk assessment model for risk management
TrustBus'06 Proceedings of the Third international conference on Trust, Privacy, and Security in Digital Business
MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
Attack graph based evaluation of network security
CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Ideal based cyber security technical metrics for control systems
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
SP 800-30. Risk Management Guide for Information Technology Systems
SP 800-30. Risk Management Guide for Information Technology Systems
Applicability of security metrics for adaptive security management in a universal banking hub system
Proceedings of the Fourth European Conference on Software Architecture: Companion Volume
Security implications of selective encryption
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Performance and security tradeoff
SFM'10 Proceedings of the Formal methods for quantitative aspects of programming languages, and 10th international conference on School on formal methods for the design of computer, communication and software systems
Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Can we measure security and how?
Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Prioritization of software security intangible attributes
ACM SIGSOFT Software Engineering Notes
Point-and-shoot security design: can we build better tools for developers?
Proceedings of the 2012 workshop on New security paradigms
Cyber security exercises and competitions as a platform for cyber security experiments
NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
On identifying proper security mechanisms
ICT-EurAsia'13 Proceedings of the 2013 international conference on Information and Communication Technology
Relationships between information security metrics: an empirical study
Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop
Hi-index | 0.00 |
This paper critically surveys previous work on quantitative representation and analysis of security. Such quantified security has been presented as a general approach to precisely assess and control security. We classify a significant part of the work between 1981 and 2008 with respect to security perspective, target of quantification, underlying assumptions and type of validation. The result shows how the validity of most methods is still strikingly unclear. Despite applying a number of techniques from fields such as computer science, economics and reliability theory to the problem it is unclear what valid results exist with respect to operational security. Quantified security is thus a weak hypothesis because a lack of validation and comparison between such methods against empirical data. Furthermore, many assumptions in formal treatments are not empirically well-supported in operational security and have been adopted from other fields. A number of risks are present with depending on quantitative methods with limited or no validation.