Abstract
Risk assessment is an important step in the development of a secure system: its goal is to identify the possible threats to a system, their impact and, henceforth, to evaluate the connected risks. Although several systematic approaches have been developed to perform a risk assessment task, the current methodologies rely on the quantitative evaluations of experts in a substantial way. This paper addresses the problem of detaching the methodology results from the subjective judgements of experts, by formalising a risk assessment methodology in an appropriate mathematical framework that reduces the subjective aspects in experts’ evaluations
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Redmill, F.: Risk analysis: A subjective process. Engineering Management Journal 12(2) (April 2002) 91–96
Sicari, S., Balzarotti, D., Monga, M.: Assessing the risk of using vulnerable components. In Gollmann, D., Massacci, F., Yautsiukhin, A., eds.: Quality of Protection. Security Measurements and Metrics, New York, NY, USA, Springer-Verlag (June 2006) 65–78
Howard, M., Leblanc, D.: Writing Secure Code. Microsoft Press (2003)
Moore, A., Ellison, R.: Survivability through intrusion-aware design. Technical Report 2001-TN-001, CERT Coordination Center (2001)
Schneier, B.: Modelling security threats. Dr. Dobb’s Journal (December 1999)
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the Octave approach (October 2003)
den Braber, F., Dimitrakos, T., Gran, B., Lund, M., Stølen, K., Aagedal, J.: The CORAS methodology: Model-based risk management using UML and UP. In Favre, L., ed.: UML and the Unified Process. IRM Press (2003) 332–357
Jenkins, B.: Risk analysis helps establish a good security posture; risk management keeps it that way (1998) White paper.
Siu, T.: Risk-eye for the IT security guy (February 2004)
Sharp, G., Enslow, P., Navathe, S., Farahmand, F.: Managing vulnerabilities of information system to security incidents. In: ICEC ’03: Proceedings of the 5th International Conference on Electronic Commerce, New York, NY, USA, ACM Press (2003) 348–354
Baskerville, R.: Information system security design methods: Implications for information systems development. ACM Computing Survey 25(4) (1993) 375–412
Evans, S., Heinbuch, D., E. Kyle, Piorkowski, J., J. Wallener: Risk-based system security engineering: Stopping attacks with intention. IEEE Security & Privacy Magazine 2(6) (2004) 59–62
Moskowitz, I., Kang, M.: An insecurity flow model. In: NSPW ’97: Proceedings of the 1997 Workshop on New Security Paradigms, New York, NY, USA, ACM Press (1997) 61–74
Noel, S., Jajoidia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: ACSAC ’03: Proceedings of 19th Annual Computer Security Applications Conference, IEEE Computer Society (2003) 86–95
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: SP’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, IEEE Computer Society (2002) 273–284
Benini, M., Sicari, S.: Risk assessment: Intercepting VoIP calls. In: Proceedings of the VIPSI 2007 Venice Conference. (March 2007) To appear.
Arshad, S., Shoaib, M., Shah, A.: Web metrics: The way of improvement of quality of non web-based systems. In Arabnia, H.R., Reza, H., eds.: SERP’06: Proceedings of the International Conference on Software Engineering Research and Practice. Volume 2., CSREA Press (2006) 489–495
Fenton, N.: Software measurement: A necessary scientific basis. IEEE Transactions on Software Engineering 20(3) (1994) 199–206
Fenton, N., Neil, M.: Making decisions: Bayesian nets and mcda. Knowledge-Based Systems 14(7) (November 2001) 307–325
Biswas, G., Debelak, K., Kawamura, K.: Application of qualitative modelling to knowledge-based risk assessment studies. In Ali, M., ed.: IEA/AIE’89: Proceedings of the Second International Conference on Industrial and Engineering Applications of Artificial Intelligence and Expert Systems. Volume 1., New York, NY, USA, ACM Press (1989) 92–101
Sahinoglu, M.: Security meter: A practical decision-tree model to quantify risk. IEEE Security & Privacy 3(3) (May/June 2005) 18–24
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer
About this chapter
Cite this chapter
Benini, M., Sicari, S. (2007). A Mathematical Framework for Risk Assessment. In: Labiod, H., Badra, M. (eds) New Technologies, Mobility and Security. Springer, Dordrecht. https://doi.org/10.1007/978-1-4020-6270-4_38
Download citation
DOI: https://doi.org/10.1007/978-1-4020-6270-4_38
Publisher Name: Springer, Dordrecht
Print ISBN: 978-1-4020-6269-8
Online ISBN: 978-1-4020-6270-4
eBook Packages: EngineeringEngineering (R0)