Skip to main content
SpringerLink
Log in

Time-to-Compromise Model for Cyber Risk Reduction Estimation

  • Conference paper
Quality of Protection

Part of the book series: Advances in Information Security ((ADIS,volume 23))

Abstract

We propose a new model for estimating the time to compromise a system component that is visible to an attacker. The model provides an estimate of the expected value of the time-to-compromise as a function of known and visible vulnerabilities, and attacker skill level. The time-to-compromise random process model is a composite of three subprocesses associated with attacker actions aimed at the exploitation of vulnerabilities. In a case study, the model was used to aid in a risk reduction estimate between a baseline Supervisory Control and Data Acquisition (SCADA) system and the baseline system enhanced through a specific set of control system security remedial actions. For our case study, the total number of system vulnerabilities was reduced by 86% but the dominant attack path was through a component where the number of vulnerabilities was reduced by only 42% and the time-to-compromise of that component was increased by only 13% to 30% depending on attacker skill level.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Browne, H. K., McHugh, J., Arbaugh, W.A. and Fithen, W.L., “A trend Analysis of Exploitations,” technical report CS-TR-4200, University of Maryland and Software Engineering Institute, November 2002.

    Google Scholar 

  2. Cohen, F., “Managing Network Security The Millisecond Fantasy,” http://all.net/journal/netsec/1999-2003.html, 2003.

  3. Evans, M., Hastings, N. and Peacock, B., “Statistical Distributions,” Second Edition, 1993.

    Google Scholar 

  4. Jonsson, E., “A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior,” IEEE Transactions on Software Engineering, Vol 23 No 4, April 1997.

    Google Scholar 

  5. Rescorla, E., “Is Finding Security Holes a Good Idea,” IEEE Security & Privacy, January–February 2005.

    Google Scholar 

  6. Turner, D., ed., “Symantec Internet Security Threat Report,” Volume VI, September, 2004, http://enterprisesecurity.symantec.com/content.cfm?articleid-1539, 2004.

    Google Scholar 

  7. Byres, E. J., Franz, M. and Miller, D., “The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems”, International Infrastructure Survivability Workshop (IISW ‘04, IEEE, Lisbon, Portugal, December 4, 2004

    Google Scholar 

  8. Carlson, R. E., Turnquist, M. A. and Nozick, L. K., Expected Losses, Insurability, and Benefits from Reducing Vulnerability to Attacks, SAND2004-0742, Sandia National Laboratories, Albuquerque, New Mexico, 2004.

    Google Scholar 

  9. Dacier, M., Deswarte, Y. and Kaaniche, M., “Quantitative Assessment of Operational Security: Models and Tools” Information Systems Security, ed. by S. K. Katsikas and D. Gritzalis, London, Chapman & Hall, p. 179–86, 1996.

    Google Scholar 

  10. Haimes, Yacov Y., “Accident Precursors, Terrorist Attacks, and Systems Engineering,” Presented at the NAE Workshop, 2003.

    Google Scholar 

  11. Madan, B.B., Goševa-Popstojavova, K., Vaidyanathan, K. and Trivedi, K. S., “Modeling and Quantification of Security Attributes of Software Systems,” International Conference on Dependable Systems and Networks, Washington, DC,, 2002.

    Google Scholar 

  12. Major, J. A., “Advanced Techniques for Modeling Terrorism Risk,” Journal of Risk Finance, Fall 2002.

    Google Scholar 

  13. McQueen, M. A., Boyer, W. F., Flynn, M. A. and Beitel, G. A., “Quantitative Cyber Risk Reduction Estimation for a SCADA Control System”, INL/EXT-05-00319, Idaho National Laboratory, CSSC Report, prepared for U.S. Department of Homeland Security, May 17, 2005.

    Google Scholar 

  14. Sheyner, O., Haines, J., Jha, S., Lippmann, R. and Wing, J. M., “Automated Generation and Analysis of Attack Graphs,” Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Berkeley, California, May 2002, 273–284.

    Google Scholar 

  15. Taylor C, Krings, A. and Alves-Foss, J., “Risk Analysis and Probabilistic Survivability Assessment (RAPSA): An Assessment Approach for Power Substation Hardening,” Proc. ACM Workshop on Scientific Aspects of Cyber Terrorism, (SACT), Washington DC, November 21, 2002.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Idaho National Laboratory, 2525 N. Fremont, Idaho Falls, Idaho, USA, 83415

    Miles A. McQueen, Wayne F. Boyer, Mark A. Flynn & George A. Beitel

Authors
  1. Miles A. McQueen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wayne F. Boyer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mark A. Flynn
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. George A. Beitel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Security in Distributed Applications, TU Hamburg-Harburg, Harburger Schloßstraße 20, 21079, Hamburg, Germany

    Dieter Gollmann

  2. Dipartimento Informatica e Telecomunicazioni (DIT), University of Trento, Via Sommarive, 14 38050, Trento, Italy

    Fabio Massacci  & Artsiom Yautsiukhin  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer Science+Business Media, LLC.

About this paper

Cite this paper

McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A. (2006). Time-to-Compromise Model for Cyber Risk Reduction Estimation. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-36584-8_5

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-29016-4

  • Online ISBN: 978-0-387-36584-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation