Formal analysis of security metrics and risk

Authors:
Leanid Krautsevich;Fabio Martinelli;Artsiom Yautsiukhin
Affiliations:
Department of Computer Science, University of Pisa, Pisa, Italy;Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Italy;Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Italy
Venue:
WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
Year:
2011

Citing 16
Cited 2

A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior

IEEE Transactions on Software Engineering
Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security

IEEE Transactions on Software Engineering
The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Security attribute evaluation method: a cost-benefit approach

Proceedings of the 24th International Conference on Software Engineering
How to Buy Better Testing

InfraSec '02 Proceedings of the International Conference on Infrastructure Security
Information Assurance Measures and Metrics " State of Practice and Proposed Taxonomy

HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
The Lognormal Distribution of Software Failure Rates: Application to Software Reliability Growth Modeling

ISSRE '98 Proceedings of the The Ninth International Symposium on Software Reliability Engineering
A method for modeling and quantifying the security attributes of intrusion tolerant systems

Performance Evaluation - Dependable systems and networks-performance and dependability symposium (DSN-PDS) 2002: Selected papers
Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series)

Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series)
A weakest-adversary security metric for network configuration security analysis

Proceedings of the 2nd ACM workshop on Quality of protection
Complete Guide to Security and Privacy Metrics

Complete Guide to Security and Privacy Metrics
Security Metrics: Replacing Fear, Uncertainty, and Doubt

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Minimum-cost network hardening using attack graphs

Computer Communications
An Attack Graph-Based Probabilistic Security Metric

Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Formal approach to security metrics.: what does "more secure" mean for you?

Proceedings of the Fourth European Conference on Software Architecture: Companion Volume
SP 800-30. Risk Management Guide for Information Technology Systems

SP 800-30. Risk Management Guide for Information Technology Systems

A general method for assessment of security in complex services

ServiceWave'11 Proceedings of the 4th European conference on Towards a service-based internet
Towards modelling adaptive attacker's behaviour

FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security metrics are usually defined informally and, therefore, the rigourous analysis of these metrics is a hard task. This analysis is required to identify the existing relations between the security metrics, which try to quantify the same quality: security. Risk, computed as Annualised Loss Expectancy, is often used in order to give the overall assessment of security as a whole. Risk and security metrics are usually defined separately and the relation between these indicators have not been considered thoroughly. In this work we fill this gap by providing a formal definition of risk and formal analysis of relations between security metrics and risk.