Skip to main content
SpringerLink
Log in

Assessing the Risk of an Information Infrastructure Through Security Dependencies

  • Conference paper
Critical Information Infrastructures Security (CRITIS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 4347))

Abstract

We outline a framework for the risk assessment of information infrastructures that generalizes the notion of dependency with respect to security attributes such as confidentiality, integrity or availability. Dependencies are used to model an infrastructure at distinct abstraction levels, to discover attack strategies and to define risk mitigation plans. A plan is formulated in terms of set of countermeasures because single countermeasures may be ineffective due to alternative threat attack strategies. We do not detail the assessment steps and focus on the integration of their results to define risk mitigation plans. Lastly, we discuss the development of programming tools to support the assessment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alberts, C., Dorofee, A.: Managing Information Security Risks. Addison-Wesley, Reading (2002)

    Google Scholar 

  2. Ammann, P., et al.: Scalable, Graph-based Network Vulnerability Analysis. In: 9th ACM Conf. on Computer and Communications security, Washington, DC, USA (November 2002)

    Google Scholar 

  3. Anderson, R.J.: Security Engineering A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Chichester (2001)

    Google Scholar 

  4. Baiardi, F., et al.: Constrained Automata: a Formal Tool for ICT Risk Assessment. In: NATO Advanced Research Workshop on Information Security and Assurance, Marocco (June 2005)

    Google Scholar 

  5. Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology CRAMM. In: Proc. MEDINFO 1992, vol. 1589, p. 1593. North Holland, Amsterdam (1992)

    Google Scholar 

  6. CORAS: A platform for risk analysis of security critical systems. IST-2000-25031 (2000)

    Google Scholar 

  7. Dawkins, J., Campbell, C., Hale, J.: Modeling Network Attacks: Extending the Attack Tree Paradigm. Statistical and Machine Learning in Computer Intrusion Detection (June 2002)

    Google Scholar 

  8. Gordon, L., Loeb, M.: The economics of information security investment. ACM Trans. on Information and System Security 5(4), 438–457 (2002)

    Article  Google Scholar 

  9. Lipmann, R.P., Ingols, K.W.: An Annotated Review of Past Paper on Attack Graphs, Project Report, Lincoln Lab. MIT (March 2005)

    Google Scholar 

  10. IEC 1025: 1990 Fault tree analysis (FTA)

    Google Scholar 

  11. Jha, S., Sheyner, O., Wing, J.: Two Formal Analysis of Attack Graphs. In: 15th IEEE Computer Security Foundations Workshop, June 2002, p. 49 (2002)

    Google Scholar 

  12. Moore, P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability, CMU/SEI- 2001-TN001

    Google Scholar 

  13. National Infrastructure Advisory Council, The Common Vulnerability Scoring System, Final Report and Recomandations (October 2004)

    Google Scholar 

  14. Ning, P., et al.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conf. on Computer and Communications Security, Washington, DC, USA (November 2002)

    Google Scholar 

  15. Phillips, C., Painton Swiler, L.: A graph-based system for network-vulnerability analysis. In: Workshop on New Security Paradigms, September 1998, pp. 71–79 (1998)

    Google Scholar 

  16. Ritchey, R., et al.: Representing TCP/IP Connectivity For Topological Analysis of Network Security. In: 18th Annual Computer Security Applications Conf., December 2002, p. 25 (2002)

    Google Scholar 

  17. Russell, S., Norving, P.: Artificial Intelligence: a Modern Approach. Prentice-Hall, Englewood Cliffs (2003)

    Google Scholar 

  18. Sheyner, O., et al.: Automated Generation and Analysis of Attack Graphs. In: Proc. of the 2002 IEEE Symposium on Security and Privacy, May 12-15 (2002)

    Google Scholar 

  19. Sheyner, O.M.: Scenario Graphs and Attack Graphs, CMU-CS-04-122 (2004)

    Google Scholar 

  20. Swiler, L.P., Phillips, C., Ellis, D., Chakerian, S.: Computer-Attack Graph Generation Tool. In: Proc. of the DARPA Information Survivability Conf. (June 2001)

    Google Scholar 

  21. Swarup, V., Jajodia, S., Pamula, J.: Rule-Based Topological Vulnerability Analysis. In: 3rd Int. Wor. on Math. Methods, Models and Arc. for Network Security, S. Petersburg (September 2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università di Pisa,  

    F. Baiardi, S. Suin & C. Telmon

  2. Enel Distribuzione, ENEL,  

    M. Pioli

Authors
  1. F. Baiardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. S. Suin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. C. Telmon
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. M. Pioli
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information and Communication Technologies, University of A Coruña, Spain

    Javier Lopez

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Baiardi, F., Suin, S., Telmon, C., Pioli, M. (2006). Assessing the Risk of an Information Infrastructure Through Security Dependencies. In: Lopez, J. (eds) Critical Information Infrastructures Security. CRITIS 2006. Lecture Notes in Computer Science, vol 4347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11962977_4

Download citation

  • DOI: https://doi.org/10.1007/11962977_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69083-2

  • Online ISBN: 978-3-540-69084-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation