Skip to main content
SpringerLink
Log in

RiskWriter: Predicting Cyber Risk of an Enterprise

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11281))

Included in the following conference series:

Abstract

Empirically measuring security posture of an enterprise is a challenging problem. One has to thoroughly understand external and, internal exposure for a given firm to assess security posture at a given time. Various security metrics are used to model each type of security exposure. Due to the lack of data on internal security metrics for a broad sample of firms, the research community has relied on external, proxy data points to assess the cyber risk of a firm. Recent studies, which attempted to solve this problem either used a small set of enterprises or used artificial datasets. Moreover, we are not aware of any existing approach to assess the security posture of an enterprise using only external and business data. In this paper, we present RiskWriter, a framework to assess the internal security posture of an enterprise using only external and business data. In our study, we measure a set of internal, external and business attributes of around 200,000 firms of different sizes, line of business, locations and security profiles for a period of 12 months. Prediction models were built by deriving, for each company, a comprehensive set of metrics using novel filtering and, normalizing techniques and then building machine learning models to assess the internal security posture of a company using only external and business data. We also evaluate RiskWriter with 2000 enterprises, with a variety of metrics and show that prediction is stable with high accuracy. Specifically for this work, the longitudinal study a broad sample of firms and for a period of one year is done for the first time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://nvd.nist.gov/.

  2. 2.

    https://www.exploit-db.com/.

  3. 3.

    https://securityscorecard.com/.

  4. 4.

    http://www.hoovers.com/.

  5. 5.

    https://www.datanyze.com/.

  6. 6.

    https://securityonline.info/shodan-check-ip-address-whether-honeypot-real-control-system/.

References

  1. ABI Research: Cyber insurance market to reach \$10B by 2020. https://www.advisenltd.com/2015/07/30/abi-research-cyber-insurance-market-to-reach-10b-by-2020/

  2. Romanosky, S., Ablon, L., Kuehn, A., Jones, RT.: Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk? RAND Corporation, Santa Monica (2017). https://www.rand.org/pubs/working_papers/WR1208.html

    Book  Google Scholar 

  3. Bogomolniy, O.: Cyber insurance conundrum: using CIS critical security controls for underwriting cyber risk (2017). https://www.sans.org/reading-room/whitepapers/legal/cyber-insurance-conundrum-cis-critical-security-controls-underwriting-cyber-risk-37572

  4. Pendleton, M., Garcia-Lebron, R., Cho, J.-H., Xu, S.: A survey on systems security metrics. In: ACM Computing Survey, February 2017

    Google Scholar 

  5. Cai, F., Le-Khac, N.-A., Kechadi, M.-T.: Clustering approaches for financial data analysis: a survey. In: Proceeding of the 8th International Conference on Data Mining (DMIN 2012), NE, USA, July 2012

    Google Scholar 

  6. McInnes, L., Healy, J.: Accelerated hierarchical density based clustering. In: 2017 IEEE International Conference on Data Mining Workshops (ICDMW), pp 33–42. IEEE (2017)

    Google Scholar 

  7. Campello, R.J.G.B., Moulavi, D., Sander, J.: Density-based clustering based on hierarchical density estimates. In: Pei, J., Tseng, V.S., Cao, L., Motoda, H., Xu, G. (eds.) PAKDD 2013. LNCS (LNAI), vol. 7819, pp. 160–172. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37456-2_14

    Chapter  Google Scholar 

  8. Ho, T.K.: Random decision forest. In: Proceedings of the 3rd International Conference on Document Analysis and Recognition, pp. 278–282 (1995)

    Google Scholar 

  9. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (1995)

    Article  MATH  Google Scholar 

  10. Liaw, A., Wiener, M.: Classification and regression by randomForest. R News 2(3), 18–22 (2002)

    Google Scholar 

  11. Nagle, F., Ransbotham, S., Westerman, G.: The effects of security management on security events. In: Annual Workshop on the Economics of Information Security (2017)

    Google Scholar 

  12. Liu, Y., et al.: Cloudy with a chance of breach: forecasting cyber security incidents. In: USENIX Security, 1009–1024 (2015)

    Google Scholar 

  13. Kannan, K., Telang, R.: Market for software vulnerabilities? Think again. Manag. Sci. 51(5), 726–740 (2005)

    Article  Google Scholar 

  14. Gupta, A., Zhdanov, D.: Growth and sustainability of managed security services networks: an economic perspective. MIS Q. 36(4), 1109–1130 (2012)

    Article  Google Scholar 

  15. Mahmood, M.A., Siponen, M., Straub, D., Rao, H.R., Raghu, T.S.: Moving toward black hat research in information systems security: an editorial introduction to the special issue. MIS Q. 34(3), 431–433 (2002)

    Article  Google Scholar 

  16. Moore, T., Dynes, S., Chang, F.R.: Identifying how firms manage cybersecurity investment. Southern Methodist University (2015). http://blog.smu.edu/research/files/2015/10/SMU-IBM.pdf

  17. Sarabi, A., Naghizadeh, P., Liu, Y., Liu, M.: Risky business: fine-grained data breach prediction using business profiles. J. Cybersecur. 2(1), 15–28 (2016)

    Article  Google Scholar 

  18. Edwards, B., Hofmeyr, S., Stephanie, F.: Hype and heavy tails: a closer look at data breaches. In: Workshop on the Economics of Information Security, vol. 14 (2015)

    Google Scholar 

  19. Veeramachaneni, K., Arnaldo, I., Cuesta-Infante, A., Korrapati, V., Basslas, C., Li, K.: AI\(^{2}\): training a big data machine to defend. In Proceedings of the 2nd IEEE International Conference on Big Data Security (2016)

    Google Scholar 

  20. Bilge, L., Han, Y., Dell’Amico, M.: RiskTeller: predicting the risk of cyber incidents. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (2017)

    Google Scholar 

  21. Kuppa, A., Grzonkowski, S., Le-Khac, N.-A.: Enabling trust in deep learning models: a digital forensics case study. In: Proceeding of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-18), NY, USA, 1–3 August 2018

    Google Scholar 

  22. Nicolls, V., Chen, L., Scanlon, M., Le-Khac, N.-A.: IPv6 security and forensics. In: Proceeding of the 6th IEEE International Conference on Innovative Computing Technology (INTECH 2016), Dublin, Ireland, August 2016

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. UCD School of Computing, Dublin, Ireland

    K. Aditya

  2. Symantec Corporation, Mountain View, USA

    K. Aditya & Slawomir Grzonkowski

  3. University College Dublin, Dublin, Ireland

    Nhien-An Le-Khac

Authors
  1. K. Aditya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Slawomir Grzonkowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nhien-An Le-Khac
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to K. Aditya .

Editor information

Editors and Affiliations

  1. Indian Institute of Science, Bangalore, India

    Vinod Ganapathy

  2. Pennsylvania State University, University Park, PA, USA

    Trent Jaeger

  3. Indian Institute of Technology Bombay, Mumbai, India

    R.K. Shyamasundar

A Appendix

A Appendix

See Tables 4 and 5.

Table 4. Datasets - multi purpose tools, infections and attack categories, and vulnerabilities and EOL found in scans
Full size table
Table 5. End of life products used for measurement
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Aditya, K., Grzonkowski, S., Le-Khac, NA. (2018). RiskWriter: Predicting Cyber Risk of an Enterprise. In: Ganapathy, V., Jaeger, T., Shyamasundar, R. (eds) Information Systems Security. ICISS 2018. Lecture Notes in Computer Science(), vol 11281. Springer, Cham. https://doi.org/10.1007/978-3-030-05171-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05171-6_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05170-9

  • Online ISBN: 978-3-030-05171-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation