Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements

Authors:
Sandip C. Patel;James H. Graham;Patricia A. S. Ralston
Affiliations:
Department of Information Science and Systems, Graves School of Business and Management, Morgan State University, Baltimore, MD 21251, USA;J.B. Speed School of Engineering, University of Louisville, Louisville, KY 40292, USA;J.B. Speed School of Engineering, University of Louisville, Louisville, KY 40292, USA
Venue:
International Journal of Information Management: The Journal for Information Professionals
Year:
2008

Citing 14
Cited 2

The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Are We Forgetting the Risks of Information Technology?

Computer
Analyzing Internet Security Protocols

HASE '01 The 6th IEEE International Symposium on High-Assurance Systems Engineering: Special Topic: Impact of Networking
Model-Based Risk Assessment to Improve Enterprise Security

EDOC '02 Proceedings of the 6th International Enterprise Distributed Object Computing Conference
Assessing the Risk in E-commerce

HICSS '02 Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7 - Volume 7
The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Journal of Computer Security - IFIP 2000
Managing vulnerabilities of information systems to security incidents

ICEC '03 Proceedings of the 5th international conference on Electronic commerce
Modeling and Simulating Critical Infrastructures and Their Interdependencies

HICSS '04 Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 2 - Volume 2
A model for evaluating IT security investments

Communications of the ACM - Has the Internet become indispensable?
A Management Perspective on Risk of Security Threats to Information Systems

Information Technology and Management
Toward a Unified Security-Safety Model

Computer
Common Vulnerability Scoring System

IEEE Security and Privacy
Secure internet-based communication protocol for scada networks

Secure internet-based communication protocol for scada networks
The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

International Journal of Electronic Commerce

Attack and defense modeling with BDMP

MMM-ACNS'10 Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security
Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy

International Journal of Information Management: The Journal for Information Professionals

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper proposes a new approach for assessing the organization's vulnerability to information-security breaches. Although much research has been done on qualitative approaches, the literature on numerical approaches to quantify information-security risk is scarce. This paper suggests a method to quantify risk in terms of a numeric value or ''degree of cybersecurity''. To help quantitatively measure the level of cybersecurity for a computer-based information system, we present two indices, the threat-impact index and the cyber-vulnerability index, based on vulnerability trees. By calculating and comparing the indices for various possible security enhancements, managers can select the best security enhancement choice, prioritize the choices by their relative effectiveness, and statistically justify spending resources on the selected choice. By qualifying information security quantitatively, the method can also help managers establish a specific target of security level that they can track. We illustrate the use of the proposed methodology on the security of supervisory control and data acquisition (SCADA) systems using data from the SCADA system test bed implemented at the University of Louisville as a case study, and then show the use of the proposed indices on this information system before and after two security enhancements.