Quantitative software security risk assessment model

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Quantitative software security risk assessment model

Full text

Pdf (224 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 2007 ACM workshop on Quality of protection table of contents

Alexandria, Virginia, USA

SESSION: Business security metrics table of contents

Pages: 31 - 33

Year of Publication: 2007

ISBN:978-1-59593-885-5

Authors

Idongesit Mkpong-Ruffin	Auburn University, Auburn, AL
David Umphress	Auburn University, Auburn, AL
John Hamilton	Auburn University, Auburn, AL
Juan Gilbert	Auburn University, Auburn, AL

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 21, Downloads (12 Months): 377, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1314257.1314267 What is a DOI?

ABSTRACT

Risk analysis is a process for considering possible risks and determining which are the most significant for any particular effort. Determining which risks to address and the optimum strategy for mitigating said risks is often an intuitive and qualitative process. An objective view of the risks inherent in a development effort requires a quantitative risk model. Quantitative risk models used in determining which risk factors to focus on, tend to use a traditional approach of annualized loss expectancy (ALE). This research uses empirical data that reflects the security posture of each vulnerability to calculate Loss Expectancy; a risk impact estimator. Data from open source vulnerability databases and results of predicted threat models are used as input to the risk model. Security factors that take into account the innate characteristics of each vulnerability are incorporated into the calculation of the risk model; resulting in an empirical assessment of the potential threats to a development effort based on the risk metric calculation.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Asnar, Y., Giorgini, P., Massacci, F., and Zannone N.. "From Trust to Dependability through Risk Analysis." ARES 2007, pages 19--26. IEEE Press, 2007
	2	IEEE Security and Privacy staff, Bacon Ice Cream: The Best Mix of Proactive and Reactive Security?, IEEE Security and Privacy, v.1 n.4, p.53-57, July 2003 [doi>10.1109/MSECP.2003.1219070]
	3	Curphey, Mark "Software Security Testing: Let's Get Back to Basics" Security October 2004 www.softwaremag.com
	4	Davis, Noopur., Samuel T. Redwine Jr., Gerlinde Zibulski, Gary McGraw, Watts Humphrey"Processes for Producing Secure Software - Summary of US National Cyberscevurity Summit subgroup Report" IEEE Security & Privacy May/June 2004
	5	Folker den Braber , Theo Dimitrakos , Bjørn Axel Gran , Mass Soldal Lund , Ketil Stølen , Jan Øyvind Aagedal, The CORAS methodology: model-based risk assessment using UML and UP, UML and the unified process, IGI Publishing, Hershey, PA, 2003
	6	Anil K. Jain , Jianchang Mao , K. M. Mohiuddin, Artificial Neural Networks: A Tutorial, Computer, v.29 n.3, p.31-44, March 1996 [doi>10.1109/2.485891]
	7	Jan Juerjens, Secure Systems Development with UML, SpringerVerlag, 2003
	8	Nachimuthu Karunanithi , Darrell Whitley , Yashwant K. Malaiya, Using Neural Networks in Reliability Prediction, IEEE Software, v.9 n.4, p.53-59, July 1992 [doi>10.1109/52.143107]
	9	Gary McGraw, Software Security: Building Security In, Addison-Wesley Professional, 2006
	10	Mead, Nancy R.; Stehney, Ted Security Quality Requirements Engineering (SQUARE) Methodology
	11	Microsoft http://www.microsoft.com/downloads/details.aspx?familyid=570dccd9-596a-44bc-bed7-1f6f0ad79e3d&displaylang=en accessed last - 3/9/07
	12	Mkpong-Ruffin, Idongesit; Umphress, David A. "High-Leveraged Techniques for Software Security" CrossTalk The Journal of Defense Software Engineering March 2007
	13	Donald E. Neumann, An Enhanced Neural Network Technique for Software Risk Analysis, IEEE Transactions on Software Engineering, v.28 n.9, p.904-912, September 2002 [doi>10.1109/TSE.2002.1033229]
	14	NIST -National Institute of Standards and Technology, "Software Errors Cost U.S. Economy $59.5 Billion Annually" (NIST 2002-10). http://www.nist.gov/public_affairs/releases/n02-10.htm (2002).
	15	NVD - National Vulnerability Database www.nist.nvd.gov last accessed 4/7/07
	16	Sindre, G., Templates for Misuse Case Description. Proceedings. Of the Seventh International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ'2001), 4-5 June 2001, Switzerland.
	17	Pan, J." Software Testing - 18- 849b Dependable Embedded Systems." Carnegie Mellon University, 1999 ,www.ece.cmu.edu/~koop man/des_s99/sw_testing>.
	18	Rosenberg L, Hammer, T. and Shaw, J. International Symposium on Software Reliability November 1998 http://satc.gsfc.nasa.gov/support/ISSRE_NOV98/software_metrics_and_reliability.html - last accessed 3/30/07
	19	{Steel et al .05} Christopher Steel, Ramesh Nagappan, Ray Lai Core Security Patterns: Best Practices and Strategies for J2EE Web Services, and Identity Management. Prentice Hall, 2005
	20	Denis Verdon , Gary McGraw, Risk Analysis in Software Design, IEEE Security and Privacy, v.2 n.4, p.79-84, July 2004 [doi>10.1109/MSP.2004.55]
	21	Jeffrey Voas , Gary McGraw , Lora Kassab , Larry Voas, A 'Crystal Ball' for Software Liability, Computer, v.30 n.6, p.29-36, June 1997 [doi>10.1109/2.587545]