Quantifying information security risks using expert judgment elicitation

Ryan, Julie J.C.H.; Mazzuchi, Thomas A.; Ryan, Daniel J.; Cruz, J. López De La; Cooke, Roger M.

doi:10.1016/j.cor.2010.11.013

Cited by 57 publications

(24 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are various research efforts on modeling cyber intrusions, for example, to measure the security of a system (or system-of-systems) [5], [6], [7], [8], [9], [10]. These studies make various assumptions to support their claims; a frequent one being that attacks, or intrusions, follow a Poisson process, i.e., that the number of attacks or intrusions is well modeled by a Poisson distribution and that the time between such events is exponentially distributed.…”

Section: Distribution Of Cyber Intrusionsmentioning

confidence: 99%

“…In the same fashion as in the area of dependable computing, various research efforts have been made to enable estimating and predicting the security of a system (e.g., [5], [6], [7], [8], [9], [10]). Many such models origin from the domain of dependable computing [4], for example, how many intrusions that occur for a certain system (compared to faults).…”

Section: Introductionmentioning

confidence: 99%

“…This assumption has been criticized by empirical observations on various occasions [1], [2], [3], but is still applied by both researchers and practitioners (e.g., [12], [13], [14]) -much due to its mathematical simplicity. In the domain of cyber security, system compromises are often assumed to follow a Poisson distribution (e.g., [5], [6], [7], [8]). However, this assumption has never been thoroughly tested.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Large-Scale Study of the Time Required to Compromise a Computer System

Holm

2014

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Section: Distribution Of Cyber Intrusionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Large-Scale Study of the Time Required to Compromise a Computer System

Holm

2014

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

“…These analysis make many realistic to support their claims; a frequent one being that attacks, or intrusions, follows a Poisson process that the number of attacks or intrusions is well modeled by a Poisson distribution and that the time taken between such events is ideally distributed. In the paper [7,8,9] at the best of the author's knowledge, there is only one publication that an idea of the distribution of TTC using empirical information in data. The authors have observed that a total of 59 breaches, each of which them were categorized into one of six classes depending on the amount of hours taken to perform it [6].…”

Section: IImentioning

confidence: 99%

An Effective Method of Time Required to Compromise a Computer System

V¹,

Vishali²,

Rajakumari³

2015

International Journal of Advanced Research in Computer and Comm

View full text Add to dashboard Cite

Abstract:A cyber intrusion is a frequent assumption in the domain of cyber security and it follows the properties of a Poisson process. By the Poisson distribution the intrusion is well modeled and this process requires a high rate of time. This was also used with Pareto distribution of intrusion so that the rate of time required is slightly decreases with a better performance. Now we are used the chaos algorithm to determine the Time Taken to Compromise (TTC) by using this algorithm the time used for the performing a task in highly decreases. It shows the assumption of the Poisson process model might be suboptimal. The algorithm suggests that time to compromise decreases along the number of instruction of a system regarding this property. This paper clearly explains about the TTC by chaos algorithm.

show abstract

“…They provide a comprehensive survey of research and show that there is not sufficient empirical evidence to corroborate the hypothesis that computer and information "security can cor-rectly be represented with quantitative information" (Verendel, 2009, p. 37). In our paper, we do follow the numerous researchers attempting to quantify IT security risks (e.g., Feng & Li, 2011;Ryan et al, 2012;Rebollo, et al, 2015). This quantification may be used to construct a relationship between improvement and investment and allow gradual, optimal investment as in Giat (2013).…”

Section: It Risk Managementmentioning

confidence: 99%

Identifying Security Risk Modules in Information Systems

Dreyfuss¹,

Giat²

2016

InSITE Conference

View full text Add to dashboard Cite

We develop a two-stage model for identifying IT system modules with high security risks. In the first phase, we identify the subsystems that pose the highest risk and which require further investigation. In the next phase, we identify the high-security-risk modules using a more detailed approach. The output of this model helps managers decide on how to invest efficiently in improving the security of their IT system. We describe an application of this model to an IT system in an academic institution in Israel. In the first phase, three of ten subsystems are found to be very risky. In the next phase, we highlight the critical modules within those subsystems. The results of our application in the academic institution indicate that security breaches for the purpose of cheating are a greater threat than other types of security issues.

show abstract

Quantifying information security risks using expert judgment elicitation

Cited by 57 publications

References 19 publications

A Large-Scale Study of the Time Required to Compromise a Computer System

A Large-Scale Study of the Time Required to Compromise a Computer System

An Effective Method of Time Required to Compromise a Computer System

Identifying Security Risk Modules in Information Systems

Contact Info

Product

Resources

About