Abstract
CyVar extends the Value-At-Risk statistics to ICT systems under attack by intelligent, goal oriented agents. CyVar is related to the time it takes an agent to acquire some access privileges and to the one it owns these privileges. To evaluate the former time, we use the security stress, a synthetic measure of the robustness of an ICT system. We approximate this measure through the Haruspex suite, an integrated set of tools that supports ICT risk assessment and management. After defining CyVar, we show how it supports the evaluation of three versions of an industrial control system.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
An ancient Tuscany forecaster.
References
Baiardi, F., Coro, F., Tonelli, F., Sgandurra, D.: Automating the assessment of ICT risk. J. Inf. Sec. Appl. 19(3), 182–193 (2014). doi:10.1016/j.jisa.2014.04.002
Baiardi, F., Sgandurra, D.: Assessing ICT risk through a monte carlo method. Environ. Syst. Decis. 33, 1–14 (2013)
Baiardi, F., Corò, F., Tonelli, F., Guidi, L.: Gvscan: scanning networks for global vulnerabilities. In: First International Workshop on Emerging Cyberthreats and Countermeasures, Regensburg, Germany (2013)
Baiardi, F., Corò, F., Tonelli, F., Sgandurra, D.: A scenario method to automatically assess ICT risk. In: Processing 2014 Parallel and Distributed, Turin, Italy (2014)
Baiardi, F., Tonelli, F., Corò, F., Guidi, L.: QSec: supporting security decisions on an IT infrastructure. In: Luiijf, E., Hartel, P. (eds.) CRITIS 2013. LNCS, vol. 8328, pp. 108–119. Springer, Heidelberg (2013)
Kotenko, I., Konovalov, A., Shorov, A.: Agent-based modeling and simulation of botnets and botnet defense. In: Conference on Cyber Conflict, pp. 21–44. CCD COE Publications, Tallinn, Estonia (2010)
Barreto, A.B., Hieb, H., Edgar, Y.: Developing a complex simulation environment for evaluating cyber attacks. In: The Interservice/Industry Training, Simulation and Education Conference (I/ITSEC) (2012)
Sarraute, C., Richarte, G., Lucángeli Obes, J.: An algorithm to find optimal attack paths in nondeterministic scenarios. In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, AISec 2011, pp. 71–80. ACM, New York, NY, USA (2011)
Futoransky, A., Miranda, F., Orlicki, J., Sarraute, C.: Simulating cyber-attacks for fun and profit. In: Proceedings of the 2nd International Conference on Simulation Tools and Techniques, Simutools 2009, pp. 4–149 (2009)
Ten, C.-W., Manimaran, G., Liu, C.-C.: Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans. Syst. Man Cybern. Part A: Syst. Hum. 40(4), 853–865 (2010)
Baiardi, F., Tonelli, F., Bertolini, A., Bertolotti, R., Guidi, L.: Security stress: evaluating ICT robustness through a monte carlo method. In: Ninth CRITIS Conference on Critical Information Infrastructures Security, Lymassol, Cyprus (2014)
Vaughn Jr., R.B., Henning, R., Siraj, A.: Information assurance measures and metrics - state of practice and proposed taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, p. 10 (2003)
Schudel, G., Wood, B.: Adversary work factor as a metric for information assurance. In: Proceedings of the 2000 Workshop on New Security Paradigms, NSPW 2000, pp. 23–30. ACM, New York, NY, USA (2000)
Langweg, H.: Framework for malware resistance metrics. In: 2nd ACM Workshop on Quality of Protection, pp. 39–44. ACM, New York, NY, USA (2006)
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: K-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Sec. Comput. 11(1), 30–44 (2014)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt
Payne, S.C.: A guide to security metrics. SANS Institute (2006)
Swanson, M.: Security metrics guide for information technology systems. Technical report, NIST, US Department of Commerce (2003)
Sarraute, C.: On exploit quality metrics – and how to use them for automated pentesting. In: Proceedings of 8.8 Computer Security Conference (2011)
Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: 2nd ACM Workshop on Quality of Protection, pp. 31–38. ACM, New York, NY, USA (2006)
Böhme, R.: Security metrics and security investment models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002). doi:10.1145/581271.581274
Kundur, D., Feng, X., Liu, S., Zourntos, T., Butler-Purry, K.L.: Towards a framework for cyber attack impact analysis of the electric smart grid. In: 2010 First IEEE International Conference onSmart Grid Communications (SmartGridComm), pp. 244–249. IEEE (2010)
La Corte, A., Scatà, M.: Failure analysis and threats statistic to assess risk and security strategy in a communication system. In: ICSNC 2011, The Sixth International Conference on Systems and Networks Communications, pp. 149–154 (2011)
Byres, E., Ginter, A., Lingell, J.: How Stuxnet Spread - A Study of Infection Paths in Best Practice Systems. White Paper. Tofino Report, Abterra Technologies ScadaHacker.com (2011)
Langner, R.: Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE 9(3), 49–51 (2011)
Nai Fovino, I., Masera, M., Guidi, L., Carpi, G.: An experimental platform for assessing scada vulnerabilities and countermeasures in power plants (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Baiardi, F., Tonelli, F., Bertolini, A. (2015). CyVar: Extending Var-At-Risk to ICT. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-26416-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26415-8
Online ISBN: 978-3-319-26416-5
eBook Packages: Computer ScienceComputer Science (R0)