The Economic Incentives for Sharing Security Information
Information Systems Research
A weakest-adversary security metric for network configuration security analysis
Proceedings of the 2nd ACM workshop on Quality of protection
Common Vulnerability Scoring System
IEEE Security and Privacy
Privacy-preserving sharing and correction of security alerts
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An extensible analysable system model
Information Security Tech. Report
Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients
Proceedings of the 2009 ACM symposium on Applied Computing
An Approach to Security Policy Configuration Using Semantic Threat Graphs
Proceedings of the 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security XXIII
Laptop theft: a case study on the effectiveness of security mechanisms in open organizations
Proceedings of the 17th ACM conference on Computer and communications security
Security audits of multi-tier virtual infrastructures in public infrastructure clouds
Proceedings of the 2010 ACM workshop on Cloud computing security workshop
Portunes: representing attack scenarios spanning through the physical, digital and social domain
ARSPA-WITS'10 Proceedings of the 2010 joint conference on Automated reasoning for security protocol analysis and issues in the theory of security
Optimal information security investment with penetration testing
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Model-Driven Risk Analysis: The CORAS Approach
Model-Driven Risk Analysis: The CORAS Approach
Foundations of attack-defense trees
FAST'10 Proceedings of the 7th International conference on Formal aspects of security and trust
Knowledge sharing and investment decisions in information security
Decision Support Systems
A comparison of market approaches to software vulnerability disclosure
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Item difficulty estimation: An auspicious collaboration between data and judgment
Computers & Education
ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
Argumentation logic to assist in security administration
Proceedings of the 2012 workshop on New security paradigms
Hi-index | 0.00 |
One of the big problems of risk assessment in information security is the quantification of risk-related properties, such as vulnerability. Vulnerability expresses the likelihood that a threat agent acting against an asset will cause impact, for example, the likelihood that an attacker will be able to crack a password or break into a system. This likelihood depends on the capabilities of the threat agent and the strength of the controls in place. In this paper, we provide a framework for estimating these three variables based on the Elo rating used for chess players. This framework re-interprets security from the field of Item Response Theory. By observing the success of threat agents against assets, one can rate the strength of threats and controls, and predict the vulnerability of systems to particular threats. The application of Item Response Theory to the field of risk is new, but analogous to its application to children solving math problems. It provides an innovative and sound way to quantify vulnerability in models of (information) security.