Abstract
This report describes an information security risk assessment process that accommodates uncertainty and can be applied to deployed systems as well as systems under development. An example is given for a critical infrastructure but the technique is applicable to other networks. RAPSA/MC extends the Risk Analysis and Probabilistic Survivability Assessment (RAPSA) systems-level process model with a Monte-Carlo (MC) technique capturing the uncertainty in expert estimates and illustrating its resulting impact on the model’s forecast. The forecast is presented as a probability density function enabling the security analyst to more effectively communicate security risks to financial decision makers. This approach may be particularly useful for visualizing the risk of an extreme event such as an unlikely but catastrophic exploit.
Chapter PDF
Keywords
References
Bishop, Matt (2003). Computer Security: Art and Science. Addison-Wesley, Boston, MA.
Brown, Steven M. (2000). Applying internet technology to utility scada systems. Utility Automation, 5(5):25–26.
Butler, S., Chalasani, P., Jha, S., Raz, O., and Shaw, M. (1999). The potential of portfolio analysis in guiding software decisions. First Workshop on Economics-Driven Software Engineering Research.
Conrad, James R. (2005). Analyzing the risks of security investments with monte-carlo simulations. In Fourth Workshop on the Economics of Information Security (WEIS05), Harvard University (USA).
Ellison, Robert J., Linger, Richard C., Longstaff, Thomas, and Mead, Nancy R. (1999). Survivable network system analysis: A case study. IEEE Software, 16(4):70–77.
Geer, Daniel E. (2001). Making choices to show ROI. Secure Business Quarterly, 1(2).
Haimes, Yacov Y. (1998). Risk Modeling, Assessment, and Management. John Wiley and Sons, New York, NY.
Lipton, R. J. and Snyder, L. (1977). A linear time algorithm for deciding subject security. J. ACM, 24(3):455–464.
Longstaff, Thomas A., Chittister, Clyde, Pethia, Rich, and Haimes, Yacov Y. (2000). Are we forgetting the risks of information technology? IEEE Computer, 33(12):43–51.
Luo, Yi and Tu, Guangyu (2005). Who’s watching the unattended substation. IEEE Power and Energy Magazine, 3(1):59–66.
Magnusson, Christer (2005). Shareholder value and security investments. IEEE Communications Magazine, 43(1):3–4.
Oman, Paul, Schweitzer III, Edmund O., and Frincke, Deborah (2002). Concerns about intrusions into remotely accessible substation controllers and scada systems. In Proc. 27th Annual Western Protective Relay Conferences.
Schechter, Stuart Edward (2004). Computer Security Strength and Risk: A Quantitative Approach. PhD thesis, Harvard University, Cambridge, Massachusetts.
Software Engineering Institute (2005). Survivable systems analysis.
Soo Hoo, Kevin J. (2000). How much is enough? A risk-management approach to computer security. Technical report, Stanford Consortium for Research on Information Security and Policy.
Swiderski, Frank and Snyder, Window (2004). Threat Modeling. Microsoft Press, Redmond, WA.
Taylor, Carol, Krings, Axel, and Alves-Foss, Jim (2002). Risk analysis and probabilistic survivability assessment (RAPSA): An assessment approach for power substation hardening. In ACM Workshop on the Scientific Aspects of Cyber Terrorism, Washington, D.C. ACM.
Vose, David (2000). Risk Analysis: A Quantitative Guide. John Wiley and Sons, West Sussex, England, 2nd edition.
Woodward, D. (2001). The hows and whys of ethernet networks in substations. Technical report, Schweitzer Engineering Labs.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Conrad, J.R., Oman, P., Taylor, C. (2005). Managing Uncertainty in Security Risk Model Forecasts with RAPSA/MC. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_9
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_9
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)