Skip to main content
SpringerLink
Log in

CyVar: Extending Var-At-Risk to ICT

  • Conference paper
  • First Online:
Risk Assessment and Risk-Driven Testing (RISK 2015)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 9488))

Included in the following conference series:

Abstract

CyVar extends the Value-At-Risk statistics to ICT systems under attack by intelligent, goal oriented agents. CyVar is related to the time it takes an agent to acquire some access privileges and to the one it owns these privileges. To evaluate the former time, we use the security stress, a synthetic measure of the robustness of an ICT system. We approximate this measure through the Haruspex suite, an integrated set of tools that supports ICT risk assessment and management. After defining CyVar, we show how it supports the evaluation of three versions of an industrial control system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    An ancient Tuscany forecaster.

References

  1. Baiardi, F., Coro, F., Tonelli, F., Sgandurra, D.: Automating the assessment of ICT risk. J. Inf. Sec. Appl. 19(3), 182–193 (2014). doi:10.1016/j.jisa.2014.04.002

    Google Scholar 

  2. Baiardi, F., Sgandurra, D.: Assessing ICT risk through a monte carlo method. Environ. Syst. Decis. 33, 1–14 (2013)

    Article  Google Scholar 

  3. Baiardi, F., Corò, F., Tonelli, F., Guidi, L.: Gvscan: scanning networks for global vulnerabilities. In: First International Workshop on Emerging Cyberthreats and Countermeasures, Regensburg, Germany (2013)

    Google Scholar 

  4. Baiardi, F., Corò, F., Tonelli, F., Sgandurra, D.: A scenario method to automatically assess ICT risk. In: Processing 2014 Parallel and Distributed, Turin, Italy (2014)

    Google Scholar 

  5. Baiardi, F., Tonelli, F., Corò, F., Guidi, L.: QSec: supporting security decisions on an IT infrastructure. In: Luiijf, E., Hartel, P. (eds.) CRITIS 2013. LNCS, vol. 8328, pp. 108–119. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  6. Kotenko, I., Konovalov, A., Shorov, A.: Agent-based modeling and simulation of botnets and botnet defense. In: Conference on Cyber Conflict, pp. 21–44. CCD COE Publications, Tallinn, Estonia (2010)

    Google Scholar 

  7. Barreto, A.B., Hieb, H., Edgar, Y.: Developing a complex simulation environment for evaluating cyber attacks. In: The Interservice/Industry Training, Simulation and Education Conference (I/ITSEC) (2012)

    Google Scholar 

  8. Sarraute, C., Richarte, G., Lucángeli Obes, J.: An algorithm to find optimal attack paths in nondeterministic scenarios. In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, AISec 2011, pp. 71–80. ACM, New York, NY, USA (2011)

    Google Scholar 

  9. Futoransky, A., Miranda, F., Orlicki, J., Sarraute, C.: Simulating cyber-attacks for fun and profit. In: Proceedings of the 2nd International Conference on Simulation Tools and Techniques, Simutools 2009, pp. 4–149 (2009)

    Google Scholar 

  10. Ten, C.-W., Manimaran, G., Liu, C.-C.: Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans. Syst. Man Cybern. Part A: Syst. Hum. 40(4), 853–865 (2010)

    Article  Google Scholar 

  11. Baiardi, F., Tonelli, F., Bertolini, A., Bertolotti, R., Guidi, L.: Security stress: evaluating ICT robustness through a monte carlo method. In: Ninth CRITIS Conference on Critical Information Infrastructures Security, Lymassol, Cyprus (2014)

    Google Scholar 

  12. Vaughn Jr., R.B., Henning, R., Siraj, A.: Information assurance measures and metrics - state of practice and proposed taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, p. 10 (2003)

    Google Scholar 

  13. Schudel, G., Wood, B.: Adversary work factor as a metric for information assurance. In: Proceedings of the 2000 Workshop on New Security Paradigms, NSPW 2000, pp. 23–30. ACM, New York, NY, USA (2000)

    Google Scholar 

  14. Langweg, H.: Framework for malware resistance metrics. In: 2nd ACM Workshop on Quality of Protection, pp. 39–44. ACM, New York, NY, USA (2006)

    Google Scholar 

  15. Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: K-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Sec. Comput. 11(1), 30–44 (2014)

    Article  Google Scholar 

  16. Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt

    Google Scholar 

  17. Payne, S.C.: A guide to security metrics. SANS Institute (2006)

    Google Scholar 

  18. Swanson, M.: Security metrics guide for information technology systems. Technical report, NIST, US Department of Commerce (2003)

    Google Scholar 

  19. Sarraute, C.: On exploit quality metrics – and how to use them for automated pentesting. In: Proceedings of 8.8 Computer Security Conference (2011)

    Google Scholar 

  20. Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: 2nd ACM Workshop on Quality of Protection, pp. 31–38. ACM, New York, NY, USA (2006)

    Google Scholar 

  21. Böhme, R.: Security metrics and security investment models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  22. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002). doi:10.1145/581271.581274

    Article  Google Scholar 

  23. Kundur, D., Feng, X., Liu, S., Zourntos, T., Butler-Purry, K.L.: Towards a framework for cyber attack impact analysis of the electric smart grid. In: 2010 First IEEE International Conference onSmart Grid Communications (SmartGridComm), pp. 244–249. IEEE (2010)

    Google Scholar 

  24. La Corte, A., Scatà, M.: Failure analysis and threats statistic to assess risk and security strategy in a communication system. In: ICSNC 2011, The Sixth International Conference on Systems and Networks Communications, pp. 149–154 (2011)

    Google Scholar 

  25. Byres, E., Ginter, A., Lingell, J.: How Stuxnet Spread - A Study of Infection Paths in Best Practice Systems. White Paper. Tofino Report, Abterra Technologies ScadaHacker.com (2011)

    Google Scholar 

  26. Langner, R.: Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE 9(3), 49–51 (2011)

    Google Scholar 

  27. Nai Fovino, I., Masera, M., Guidi, L., Carpi, G.: An experimental platform for assessing scada vulnerabilities and countermeasures in power plants (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università di Pisa, Pisa, Italy

    Fabrizio Baiardi, Federico Tonelli & Alessandro Bertolini

Authors
  1. Fabrizio Baiardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Federico Tonelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alessandro Bertolini
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fabrizio Baiardi .

Editor information

Editors and Affiliations

  1. SINTEF ICT, Oslo, Norway

    Fredrik Seehusen

  2. Institut für Informatik, Universität Innsbruck, Innsbruck, Austria

    Michael Felderer

  3. Fraunhofer Institut FOKUS, Berlin, Germany

    Jürgen Großmann

  4. Fraunhofer Institut FOKUS, Berlin, Germany

    Marc-Florian Wendland

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Baiardi, F., Tonelli, F., Bertolini, A. (2015). CyVar: Extending Var-At-Risk to ICT. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26416-5_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26415-8

  • Online ISBN: 978-3-319-26416-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation