ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Strata-Gem: risk assessment through mission modeling
Full text PdfPdf (381 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 4th ACM workshop on Quality of protection table of contents
Alexandria, Virginia, USA
SESSION: Risk table of contents
Pages 51-58  
Year of Publication: 2008
ISBN:978-1-60558-321-1
Authors
Kevin Clark  University of Tulsa, Tulsa, OK, USA
Ethan Singleton  University of Tulsa, Tulsa, OK, USA
Stephen Tyree  University of Tulsa, Tulsa, OK, USA
John Hale  University of Tulsa, Tulsa, OK, USA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 16,   Downloads (12 Months): 128,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456362.1456374
What is a DOI?

ABSTRACT

Strata-Gem utilizes mission trees to perform risk assessments by linking an organization's objectives to the IT assets that implement them. Critical states are identified which indicate goals that a potential attacker can achieve to prevent each asset from completing its objectives. Those goals are then used as states to drive attack and fault tree analysis to determine the likelihood of an attack. This provides a quantitative risk measurement to be calculated for each asset, objective, and the overall organization.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Paul Ammann , Joseph Pamula , Julie Street , Ronald Ritchey, A Host-Based Approach to Network Attack Chaining Analysis, Proceedings of the 21st Annual Computer Security Applications Conference, p.72-84, December 05-09, 2005  [doi>10.1109/CSAC.2005.6]
 
2
J. Andrews and T. Moss. Reliability and Risk Assessment. The American Society of Mechanical Engineers, New York, NY, 2002.
 
3
AuditNet. Risk Assessment Survey and Risk Mapping Tool. http://www.auditnet.org/.
 
4
R. A. Caralli. The critical success factor method: Establishing a foundation for enterprise security management. TR 010, Carnegie Mellon University, 2004.
 
5
K. Clark. Strata-gem: Quantitative risk analysis. Master's thesis, Department of Computer Science, University of Tulsa, May 2007.
 
6
K. Clark, J. Dawkins, and J. Hale. Security risk metrics: Fusing enterprise objectives and vulnerabilities. In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, pages 388--393. IEEE, 2005.
 
7
K. Clark, S. Tyree, J. Dawkins, and J. Hale. Qualitative and quantitative analytical techniques for network security assessment. In Proceedings of the 5th Annual IEEE Information Assurance Workshop, West Point, NY, June 2004.
 
8
Jerald Dawkins , John Hale, Heuristics for scalable compound exposure analysis: a foundation for a comprehensive security risk assessment, University of Tulsa, Tulsa, OK, 2005
 
9
FIRST. Common vulnerability scoring system. http://www.first.org/cvss/.
 
10
M. Greenfield. Risk Management Tools. NASA Langley Research Center, May 2000. http://www.hq.nasa.gov/.
 
11
A. Hunstad, J. Halberg, and R. Andersson. Measuring IT security - a method based on common criteria's security functional requirements. In Proceedings from the fifth IEEE Systems, Man and Cybernetics Information Assurance Workshop, pages 226--233. IEEE, IEEE, 2004.
 
12
Kyle Ingols , Richard Lippmann , Keith Piwowarski, Practical Attack Graph Generation for Network Defense, Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, p.121-130, December 11-15, 2006  [doi>10.1109/ACSAC.2006.39]
 
13
Alan P. Laudicina, Security: nessus—A powerful, free remote security scanner, Sys Admin, v.11 n.5, p.24-30, May 2002
 
14
P. G. Luzwick. What's a pound of your information worth? Constructs for collaboration and consistency. In Proceedings of the 1st ISSRR Workshop. ACSAC, June 1999.
 
15
Y. Munipalli. Measuring the risk factor. StickyMinds.com, July 2005.
 
16
NSA. Infosec assessment methodology. Technical report, National Security Agency, 2000. http://www.iatrp.com/iam.cfm.
 
17
D. R. Peeples. Information assurance risk metric tree. In Proceedings of the 1st ISSRR Workshop. ACSAC, May 2001.
 
18
Ronald W. Ritchey , Paul Ammann, Using Model Checking to Analyze Network Vulnerabilities, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.156, May 14-17, 2000
 
19
Stuart Edward Schechter , Michael D. Smith, Computer security strength and risk: a quantitative approach, Harvard University, Cambridge, MA, 2004
 
20
B. Schneier. Attack trees: Modeling security threats. Dr. Dobb's Journal, pages 21--29, December 1999.
 
21
B. Schneier. Secrets and Lies, pages 318--333. John Wiley and Sons, San Francisco, CA, 2000.
22
Gregg Schudel , Bradley Wood, Adversary work factor as a metric for information assurance, Proceedings of the 2000 workshop on New security paradigms, p.23-30, September 18-21, 2000, Ballycotton, County Cork, Ireland  [doi>10.1145/366173.366185]
 
23
Oleg Sheyner , Joshua Haines , Somesh Jha , Richard Lippmann , Jeannette M. Wing, Automated Generation and Analysis of Attack Graphs, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.273, May 12-15, 2002
 
24
M. Swanson. NIST Special Publication 800--26: Security Self-Assessment Guide for Information Technology Systems. National Institute of Standards and Technology, November 2001.
 
25
M. Swanson, N. Bartol, J. Sabato, J. Hash, and L. Graffo. Security metrics guide for information technology systems. National Institute for Standards Publication 800--55, July 2003.
 
26
Frank Swiderski , Window Snyder, Threat Modeling, Microsoft Press, Redmond, WA, 2004
 
27
T. Tidwell, R. Larson, K. Fitch, and J. Hale. Modeling Internet attacks. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pages 54--59, 2001.

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.4 PERFORMANCE OF SYSTEMS
      Subjects: Modeling techniques


General Terms:
Measurement, Security, Theory


Keywords:
mission modeling, risk assessment

Collaborative Colleagues:
Kevin Clark: colleagues
Ethan Singleton: colleagues
Stephen Tyree: colleagues
John Hale: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player