Physical Security Risk Analysis for Mobile Access Systems Including Uncertainty Impact

Termin, Thomas; Lichte, Daniel; Wolf, Kai-Dietrich

doi:10.3850/978-981-18-2016-8_175-cd

Cited by 2 publications

(2 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As qualitatively described in Termin et al (2022) and criticized in Termin et al (2021), there are biases compared to the ICM: If protection and intervention are good, but observation is very poor, then the Harnser vulnerability score would be in the midrange. However, according to the ICM, the system would be highly vulnerable, because an intervention can only succeed if an attacker is detected in time -i.e.…”

Section: Introductionmentioning

confidence: 99%

Risk Adjusting of Scoring-based Metrics in Physical Security Assessment

Termin,

Lichte,

Wolf

2023

Proceeding of the 33rd European Safety and Reliability Conference

View full text Add to dashboard Cite

Scoring-based systems are used worldwide to assess safety and security risks. Due to their ease of use, qualitative and semi-quantitative metrics are very popular. However, there may be the possibility that these scores do not accurately reflect the real risk, as was e.g. shown by Braband (2008) or Krisper (2021). In the worst case, this can lead to a misguided investment in measures. To avoid this, an adjustment of the scoring to a quantitative metric is required. The examples of the semi-quantitative Harnser metric and the quantitative vulnerability metric of Lichte et al. ( 2016) from physical security -in this work called intervention capability metric (ICM) -are used to show in this paper how to transfer a well-defined performance mechanism for quantitatively calculating physical vulnerability into consistent scores. To enable the transfer, this paper performs a metrical analysis. The results of the Harnser metric are extended by estimated probability intervals and compared to the results of the ICM. Different types of scales are used. Subsequently, we analyze measures to align the results of these two metrics, such as modifying the assignment of scores to scale categories or adjusting the probability intervals behind the scores. As an output, the metrical analysis generates rating scales for the Harnser scoring system that can be used to replicate quantitative vulnerability values. The results contribute to making more risk-appropriate decisions. Finally, we critically evaluate possibilities and limitations of metrical adaptability and summarize results.

show abstract

Section: Introductionmentioning

confidence: 99%

Risk Adjusting of Scoring-based Metrics in Physical Security Assessment

Termin,

Lichte,

Wolf

2023

Proceeding of the 33rd European Safety and Reliability Conference

View full text Add to dashboard Cite

show abstract

“…A certain interplay of the three performance mechanisms is required to achieve a protective effect. In the context of metric accuracy, Krisper (2021) and Termin et al (2021) analyze problems with the use of semi-quantitative approaches. In IT security, this performance mechanism is obviously missing.…”

Section: Introductionmentioning

confidence: 99%

An Analytic Approach to Analyze a Defense-in-Depth (DiD) Effect as proposed in IT Security Assessment

Termin¹,

Lichte²,

Wolf³

2022

Book of Extended Abstracts for the 32nd European Safety and Reliability Conference

View full text Add to dashboard Cite

Latest approaches in IT security assessments interpret the Common Vulnerability Scoring System (CVSS) parameters as barriers connected in series. In contrast to the classic multiplicative approach according to CVSS for determining exploitability via numerical values associated with the CVSS parameters, an additive approach is proposed in Braband (2019). Logarithmized CVSS scores are introduced to overcome the computational limitations with ordinal values. The log score sum across all barriers is sorted on a scale corresponding to a likelihood of exploitability (LoE) category. CVSS world is not only decomposed and remodeled into a mathematically admissible algorithm, but also contains an inherent defense-in-depth (DiD) effect. With each barrier added, the LoE decreases. This architectural interpretation can neither be falsified nor confirmed with previous CVSS metrics. Unlike in the IT security domain, tools exist in physical security to compute DiD in an objectively consistent manner. In our paper, we apply these considerations to a physical security setup in order to replicate his systemic modification based on CVSS. In a detailed analysis, we examine the boundary conditions and measures that must be taken in quantitative physical security metrics to emulate the DiD effect in IT security.

show abstract

Physical Security Risk Analysis for Mobile Access Systems Including Uncertainty Impact

Cited by 2 publications

References 6 publications

Risk Adjusting of Scoring-based Metrics in Physical Security Assessment

Risk Adjusting of Scoring-based Metrics in Physical Security Assessment

An Analytic Approach to Analyze a Defense-in-Depth (DiD) Effect as proposed in IT Security Assessment

Contact Info

Product

Resources

About