Abstract
A security risk analysis will only serve its purpose if we can trust that the risk levels obtained from the analysis are correct. However, obtaining correct risk levels requires that we find correct likelihood and consequence values for the unwanted incidents identified during the analysis. This is often very hard. Moreover, the values may soon be outdated as the system under consideration or its environment changes. It is therefore desirable to be able to base estimates of risk levels on measurable indicators that are dynamically updated. In this paper we present an approach for exploiting measurable indicators in order to obtain a risk picture that is continuously or periodically updated. We also suggest dynamic notions of confidence aiming to capture to what extent we may trust the current risk picture.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Brændeland, G., Dahl, H., Stølen, K.: A modular approach to the modelling and analysis of risk scenarios with mutual dependencies. Technical Report A8360, SINTEF ICT (2008)
Ben-Gal, I.: Bayesian networks. In: Ruggeri, F., Kenett, R.S., Faltin, F.W. (eds.) Encyclopedia of Statistics in Quality and Reliability. John Wiley & Sons, Chichester (2007)
Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., Robinson, W.: Performance measurement guide for information security (NIST Special Publication 800-55 revision 1). Technical report, National Institute of Standards and Technology (2008)
den Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)
Fenton, N., Krause, P., Neil, M.: Software measurement: uncertainty and causal modeling. IEEE Software 19(4), 116–122 (2002)
Fenton, N., Neil, M.: Combining evidence in risk analysis using bayesian networks. Agena White Paper W0704/01 (2004)
IEC. IEC 61025, Fault Tree Analysis (1990)
Jøsang, A., Bradley, D., Knapskog, S.J.: Belief-based risk analysis. In: Proceedings of the Australasian Information Security Workshop (AISW). Conferences in Research and Practice in Information Technology (CRPIT), vol. 32, pp. 63–68. Australian Computer Society (2004)
Jøsang, A.: Probabilistic logic under uncertainty. In: Proceedings of Thirteenth Computing: The Australasian Theory Symposium (CATS). Conferences in Research and Practice in Information Technology (CRPIT), vol. 65, pp. 101–110. Australian Computer Society (2007)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 workshop on new security paradigms, pp. 71–79. ACM, New York (1998)
Schneier, B.: Attack trees: Modeling security threats. Dr. Dobbs Journal 24(12), 21–29 (1999)
Vose, D.: Risk Analysis. A quantitative guide, 3rd edn. John Wiley & Sons, Chichester (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Refsdal, A., Stølen, K. (2009). Employing Key Indicators to Provide a Dynamic Risk Picture with a Notion of Confidence. In: Ferrari, E., Li, N., Bertino, E., Karabulut, Y. (eds) Trust Management III. IFIPTM 2009. IFIP Advances in Information and Communication Technology, vol 300. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02056-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-02056-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02055-1
Online ISBN: 978-3-642-02056-8
eBook Packages: Computer ScienceComputer Science (R0)