The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Analyzing Internet Security Protocols
HASE '01 The 6th IEEE International Symposium on High-Assurance Systems Engineering: Special Topic: Impact of Networking
Model-Based Risk Assessment to Improve Enterprise Security
EDOC '02 Proceedings of the 6th International Enterprise Distributed Object Computing Conference
Assessing the Risk in E-commerce
HICSS '02 Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7 - Volume 7
Journal of Computer Security - IFIP 2000
Managing vulnerabilities of information systems to security incidents
ICEC '03 Proceedings of the 5th international conference on Electronic commerce
Modeling and Simulating Critical Infrastructures and Their Interdependencies
HICSS '04 Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 2 - Volume 2
A model for evaluating IT security investments
Communications of the ACM - Has the Internet become indispensable?
A Management Perspective on Risk of Security Threats to Information Systems
Information Technology and Management
Common Vulnerability Scoring System
IEEE Security and Privacy
Secure internet-based communication protocol for scada networks
Secure internet-based communication protocol for scada networks
International Journal of Electronic Commerce
Attack and defense modeling with BDMP
MMM-ACNS'10 Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security
International Journal of Information Management: The Journal for Information Professionals
Hi-index | 0.00 |
This paper proposes a new approach for assessing the organization's vulnerability to information-security breaches. Although much research has been done on qualitative approaches, the literature on numerical approaches to quantify information-security risk is scarce. This paper suggests a method to quantify risk in terms of a numeric value or ''degree of cybersecurity''. To help quantitatively measure the level of cybersecurity for a computer-based information system, we present two indices, the threat-impact index and the cyber-vulnerability index, based on vulnerability trees. By calculating and comparing the indices for various possible security enhancements, managers can select the best security enhancement choice, prioritize the choices by their relative effectiveness, and statistically justify spending resources on the selected choice. By qualifying information security quantitatively, the method can also help managers establish a specific target of security level that they can track. We illustrate the use of the proposed methodology on the security of supervisory control and data acquisition (SCADA) systems using data from the SCADA system test bed implemented at the University of Louisville as a case study, and then show the use of the proposed indices on this information system before and after two security enhancements.