A Risk Assessment Model for Enterprise Network Security

Yang, Fu-Hong; Chi, Chi-Hung; Liu, Lin

doi:10.1007/11839569_28

Fu-Hong Yang²⁰,
Chi-Hung Chi²⁰ &
Lin Liu²⁰

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4158))

Included in the following conference series:

International Conference on Autonomic and Trusted Computing

829 Accesses
1 Citations

Abstract

A formal model of security risk assessment for an enterprise information security is developed. The model, called the Graph Model, is constructed based on the mapping of an enterprise IT infrastructure and networks/systems onto a graph. Components of the model include the nodes which represent hosts in enterprise network and their weights of importance and security, the connections of the nodes, and the safeguards used with their costs and effectiveness. The model can assist to identify inappropriate, insufficient or waste protector resources like safeguards that are relative to the needs of the protected resources, and then reallocates the funds or protector resources to minimize security risk. An example is provided to represent the optimization method and process. The goal of using Graph Model is to help enterprise decision makers decide whether their security investment is consistent with the expected risks and how to allocate the funds or protector resources.

This research is supported by the funding 2004CB719400 of China.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Hoo, K.J.S.: How Much Is Enough? A Risk-Management Approach to Computer Security. In: Consortium for Research on Information Security and Policy (CRISP), Stanford University (June 2000)
Google Scholar
Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach. In: Doctoral Dissertation, Harvard University (May 2004)
Google Scholar
Butler, S.A.: Security Attribute Evaluation Method: A Cost-Benefit Approach. In: Proc. 24th Int’l Conf. Software Eng (ICSE 2002), pp. 232–240. IEEE CS Press, Los Alamitos (2002)
Chapter Google Scholar
Anderson, E., Choobineh, J., Grimaila, M.R.: An Enterprise Level Security Requirements Specification Model. In: HICSS (2005)
Google Scholar
Nathan, P., Hurley, W.: Non-Equilibrium Risk Models in Enterprise Network Security. In: Symbiot, Inc. P.O. Box 9646 Austin, TX 78766-9646
Google Scholar
Moore, D., Voelker, G.M., Savage, S.: Quantitative Network Security Analysis. In: Cooperative Association for Internet Data Analysis (CAIDA), NSF-01-160 (2002)
Google Scholar
Schechter, S.E.: Toward Econometric Models of the Security Risk from Remote Attacks. In: Proceedings of the Third Annual Workshop on the Economics of Information Security (2004)
Google Scholar
Siegel, C.A., Sagalow, T.R., Serritella, P.: Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level Security. Information Systems Security 11(4) (2002)
Google Scholar
Stephenson, P.R.: A Formal Model for Information Risk Analysis Using Colored Petri Nets. In: Colored Petri Nets (CPN) (2004)
Google Scholar
O’Donnell, A.J., Sethu, H.: On Achieving Software Diversity for Improved Network Security using Distributed Coloring Algorithms. In: ACM Conference on Computer and Communications Security, pp. 121–131 (October 2004)
Google Scholar
McCabe, B., Ford, D.: Using Belief Networks to Assess Risk. In: Winter Simulation Conference, pp. 1541–1546 (2001)
Google Scholar
Kim, J., Radhakrishnan, S., Dhall, S.K.: Measurement and Analysis of Worm Propagation on Internet Network Topology. In: IEEE ICCCN 2004 Technical Program, pp. 495–500 (October 2004)
Google Scholar
Ahuja, R.K., Orlin, J.B.: Graph and Network Optimization, http://www.ise.ufl.edu/ahuja/PAPERS/Ahuja-ELOSS-Chapter2003.pdf
Skutella, M.: Network Optimization (2005), http://www.mathematik.uni-dortmund.de/lsv/lehre/ss2005/opt/LectureNotes.pdf

Download references

Author information

Authors and Affiliations

School of Software, Tsinghua University, Beijing, 100084, China
Fu-Hong Yang, Chi-Hung Chi & Lin Liu

Authors

Fu-Hong Yang
View author publications
You can also search for this author in PubMed Google Scholar
Chi-Hung Chi
View author publications
You can also search for this author in PubMed Google Scholar
Lin Liu
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science, St. Francis Xavier University, Antigonish, Canada
Laurence T. Yang
Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer Science and Technology, Huazhong University of Science and Technology, 430074, Wuhan, China
Hai Jin
Hosei University, 184-8584, Tokyo, Japan
Jianhua Ma
Department of Computer Science, University of Augsburg, 86135, Augsburg, Germany
Theo Ungerer

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yang, FH., Chi, CH., Liu, L. (2006). A Risk Assessment Model for Enterprise Network Security. In: Yang, L.T., Jin, H., Ma, J., Ungerer, T. (eds) Autonomic and Trusted Computing. ATC 2006. Lecture Notes in Computer Science, vol 4158. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11839569_28

Download citation

DOI: https://doi.org/10.1007/11839569_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-38619-3
Online ISBN: 978-3-540-38622-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics