Abstract
Network security is one of the crucial components of an organization’s security system. Much research has been conducted to come up with a clear-cut approach in order to quantify organizations’ network system vulnerabilities. Many security standards such as NIST SP-800 and ISO 27001 with the guidelines and clauses are published with a reasonable outline to pave the ground for a safe track towards secure system design, however, these standards do not clearly show the details of work implementation. In this paper, we apply Fuzzy Logic methodology to quantify each factor and sub-factors derived using Goal Question Metrics in network security. Our procedure follows a bottom-up hierarchy model from the details of a security component to the desired goal in order to address vulnerabilities in a quantified manner in the Department of Transportation. Thus, our approach measures different types of potential vulnerabilities in a network.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Hayden, L.: IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data. McGraw Hill, New York (2010)
Karabacak, B., Sogukpinar, I.: ISRAM: information security risk analysis method. Comput. Secur. 24(2), 147–159 (2005)
Basili, V.R., Green, S.: Software process evolution at the SEL. Foundations of Empirical Software Engineering, pp. 142–154
Zimmermann, H.-J.: Fuzzy Sets, Decision Making, and Expert Systems. Springer, Dordrecht (1987)
Zadeh, L.: Fuzzy sets. Inf. Control 8(3), 338–353 (1965)
Bibliography on fuzzy sets and their applications. In: Fuzzy Sets and Their Applications to Cognitive and Decision Processes, pp. 477–496 (1975)
Pedrycz, W.: Why triangular membership functions? Fuzzy Sets Syst. 64(1), 21–30 (1994)
Kacprzyk, J.: Group decision making with a fuzzy linguistic majority. Fuzzy Sets Syst. 18(2), 105–118 (1986)
Karnik, N., Mendel, J., Liang, Q.: Type-2 fuzzy logic systems. IEEE Trans. Fuzzy Syst. 7(6), 643–658 (1999)
Leekwijck, W.V., Kerre, E.E.: Defuzzification: criteria and classification. Fuzzy Sets Syst. 108(2), 159–178 (1999)
Mamdani, E.: Advances in the linguistic synthesis of fuzzy controllers. Int. J. Man Mach. Stud. 8(6), 669–678 (1976)
Erturk, E., Sezer, E.A.: Software fault prediction using Mamdani type fuzzy inference system. Int. J. Data Anal. Tech. Strat. 8(1), 14 (2016)
Sugeno, M.: An introductory survey of fuzzy control. Inf. Sci. 36(1–2), 59–83 (1985)
Pfleeger, C.P., Pfleeger, S.L., Margulies, J.: Security in computing. Pearson India Education Services, India (2018)
Anton, P.S., Anderson, R.H., Mesic, R.: Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology. RAND Corporation, Santa Monica (2004)
Measuring Operational Risk Using Fuzzy Logic Modeling. Measuring Operational Risk Using Fuzzy Logic Modeling | Expert Commentary | IRMI.com. https://www.irmi.com/articles/expert-commentary/measuring-operational-risk-using-fuzzy-logic-modeling. Accessed 24 Jan 2020
Zhao, D.-M., Wang, J.-H., Ma, J.-F.: Fuzzy risk assessment of the network security. In: 2006 International Conference on Machine Learning and Cybernetics (2006)
Lee, M.-C.: Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. Int. J. Comput. Sci. Inf. Technol. 6(1), 29–45 (2014)
Watkins, L., Hurley, J.S.: Cyber maturity as measured by scientific-based risk metrics. J. Inf. Warf., 60–69
The ISO 27001 Risk Assessment: Information Security Risk Management for ISO 27001/ISO 27002, 3rd edn., pp. 87–93 (2019)
J. T. Force: Security and Privacy Controls for Information Systems and Organizations, CSRC, 15 August 2017. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
Shepperd, M.: Practical software metrics for project management and process improvement. Inf. Softw. Technol. 35(11–12), 701 (1993)
Shojaeshafiei, M., Etzkorn, L., Anderson, M.: Cybersecurity framework requirements to quantify vulnerabilities based on GQM. Springer, 04 June 2019. https://link.springer.com/chapter/10.1007/978-3-030-31239-8_20
Ngai, E., Wat, F.: Fuzzy decision support system for risk analysis in e-commerce development. Decis. Support Syst. 40(2), 235–255 (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Shojaeshafiei, M., Etzkorn, L., Anderson, M. (2021). Network System’s Vulnerability Quantification Using Multi-layered Fuzzy Logic Based on GQM. In: Choo, KK.R., Morris, T., Peterson, G.L., Imsand, E. (eds) National Cyber Summit (NCS) Research Track 2020. NCS 2020. Advances in Intelligent Systems and Computing, vol 1271. Springer, Cham. https://doi.org/10.1007/978-3-030-58703-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-58703-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58702-4
Online ISBN: 978-3-030-58703-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)