Abstract
A formal model of security risk assessment for an enterprise information security is developed. The model, called the Graph Model, is constructed based on the mapping of an enterprise IT infrastructure and networks/systems onto a graph. Components of the model include the nodes which represent hosts in enterprise network and their weights of importance and security, the connections of the nodes, and the safeguards used with their costs and effectiveness. The model can assist to identify inappropriate, insufficient or waste protector resources like safeguards that are relative to the needs of the protected resources, and then reallocates the funds or protector resources to minimize security risk. An example is provided to represent the optimization method and process. The goal of using Graph Model is to help enterprise decision makers decide whether their security investment is consistent with the expected risks and how to allocate the funds or protector resources.
This research is supported by the funding 2004CB719400 of China.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hoo, K.J.S.: How Much Is Enough? A Risk-Management Approach to Computer Security. In: Consortium for Research on Information Security and Policy (CRISP), Stanford University (June 2000)
Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach. In: Doctoral Dissertation, Harvard University (May 2004)
Butler, S.A.: Security Attribute Evaluation Method: A Cost-Benefit Approach. In: Proc. 24th Int’l Conf. Software Eng (ICSE 2002), pp. 232–240. IEEE CS Press, Los Alamitos (2002)
Anderson, E., Choobineh, J., Grimaila, M.R.: An Enterprise Level Security Requirements Specification Model. In: HICSS (2005)
Nathan, P., Hurley, W.: Non-Equilibrium Risk Models in Enterprise Network Security. In: Symbiot, Inc. P.O. Box 9646 Austin, TX 78766-9646
Moore, D., Voelker, G.M., Savage, S.: Quantitative Network Security Analysis. In: Cooperative Association for Internet Data Analysis (CAIDA), NSF-01-160 (2002)
Schechter, S.E.: Toward Econometric Models of the Security Risk from Remote Attacks. In: Proceedings of the Third Annual Workshop on the Economics of Information Security (2004)
Siegel, C.A., Sagalow, T.R., Serritella, P.: Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level Security. Information Systems Security 11(4) (2002)
Stephenson, P.R.: A Formal Model for Information Risk Analysis Using Colored Petri Nets. In: Colored Petri Nets (CPN) (2004)
O’Donnell, A.J., Sethu, H.: On Achieving Software Diversity for Improved Network Security using Distributed Coloring Algorithms. In: ACM Conference on Computer and Communications Security, pp. 121–131 (October 2004)
McCabe, B., Ford, D.: Using Belief Networks to Assess Risk. In: Winter Simulation Conference, pp. 1541–1546 (2001)
Kim, J., Radhakrishnan, S., Dhall, S.K.: Measurement and Analysis of Worm Propagation on Internet Network Topology. In: IEEE ICCCN 2004 Technical Program, pp. 495–500 (October 2004)
Ahuja, R.K., Orlin, J.B.: Graph and Network Optimization, http://www.ise.ufl.edu/ahuja/PAPERS/Ahuja-ELOSS-Chapter2003.pdf
Skutella, M.: Network Optimization (2005), http://www.mathematik.uni-dortmund.de/lsv/lehre/ss2005/opt/LectureNotes.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yang, FH., Chi, CH., Liu, L. (2006). A Risk Assessment Model for Enterprise Network Security. In: Yang, L.T., Jin, H., Ma, J., Ungerer, T. (eds) Autonomic and Trusted Computing. ATC 2006. Lecture Notes in Computer Science, vol 4158. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11839569_28
Download citation
DOI: https://doi.org/10.1007/11839569_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-38619-3
Online ISBN: 978-3-540-38622-3
eBook Packages: Computer ScienceComputer Science (R0)