Quantifying eavesdropping vulnerability in sensor networks
DMSN '05 Proceedings of the 2nd international workshop on Data management for sensor networks
Using CP-nets as a guide for countermeasure selection
Proceedings of the 2007 ACM symposium on Applied computing
Strata-Gem: risk assessment through mission modeling
Proceedings of the 4th ACM workshop on Quality of protection
Security and privacy issues in mobile learning
International Journal of Mobile Learning and Organisation
A Game Theoretic Approach for Deploying Intrusion Detection Agent
Agent Computing and Multi-Agent Systems
Proceedings of the 46th Annual Southeast Regional Conference on XX
Information security investment decisions: evaluating the Balanced Scorecard method
International Journal of Business Information Systems
Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers
Journal of Management Information Systems
Strategic games on defense trees
FAST'06 Proceedings of the 4th international conference on Formal aspects in security and trust
IT security analysis best practices and formal approaches
Foundations of security analysis and design IV
Dependability metrics
Optimizing a policy authoring framework for security and privacy policies
Proceedings of the Sixth Symposium on Usable Privacy and Security
Can competitive insurers improve network security?
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Frailty modelling for risk analysis in network security and survivability
International Journal of Information and Computer Security
Risk-neutral evaluation of information security investment on data centers
Journal of Intelligent Information Systems
Rational choice of security measures via multi-parameter attack trees
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
A comparison of market approaches to software vulnerability disclosure
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Information security risk assessment model for risk management
TrustBus'06 Proceedings of the Third international conference on Trust, Privacy, and Security in Digital Business
A theoretical model for the average impact of attacks on billing infrastructures
MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
A comparison of secure multi-tenancy architectures for filesystem storage clouds
Middleware'11 Proceedings of the 12th ACM/IFIP/USENIX international conference on Middleware
Are markets for vulnerabilities effective?
MIS Quarterly
A comparison of secure multi-tenancy architectures for filesystem storage clouds
Proceedings of the 12th International Middleware Conference
Markets for zero-day exploits: ethics and implications
Proceedings of the 2013 workshop on New security paradigms workshop
| Hi-index | 0.00 |
When attacking a software system is only as difficult as it is to obtain a vulnerability to exploit, the security strength of that system is equivalent to the market price of such a vulnerability. In this dissertation I show how security strength can be measured using market means, how these strength measures can be applied to create models that forecast the security risk facing a system, and how the power of markets can also be unleashed to increase security strength throughout the software development process. In short, I provide the building blocks required for a comprehensive, quantitative approach to increasing security strength and reducing security risk. The importance of quantifying security strength and risk continues to grow as individuals, businesses, and governments become increasingly reliant on software systems. The security of software deployed to date has suffered because these systems are developed and released without any meaningful measures of security, causing consumers to be unable to differentiate stronger software products from weaker ones. Even if we knew that we could make systems measurably stronger, the lack of accurate security risk models has blurred our ability to forecast the value to be gained by strengthening these systems. Without the tools introduced in this dissertation, those of us tasked with making security decisions have been forced to rely on expert opinion, anecdotal evidence, and other unproven heuristics.