ABSTRACT
This paper critically surveys previous work on quantitative representation and analysis of security. Such quantified security has been presented as a general approach to precisely assess and control security. We classify a significant part of the work between 1981 and 2008 with respect to security perspective, target of quantification, underlying assumptions and type of validation. The result shows how the validity of most methods is still strikingly unclear. Despite applying a number of techniques from fields such as computer science, economics and reliability theory to the problem it is unclear what valid results exist with respect to operational security. Quantified security is thus a weak hypothesis because a lack of validation and comparison between such methods against empirical data. Furthermore, many assumptions in formal treatments are not empirically well-supported in operational security and have been adopted from other fields. A number of risks are present with depending on quantitative methods with limited or no validation.
- Marco D. Aime, Andrea Atzeni, and Paolo C. Pomi. Ambra: automated model-based risk analysis. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pages 43--48, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- T. Alpcan and T. Basar. A game theoretic approach to decision and analysis in network intrusion detection. In Decision and Control, 2003. Proceedings. 42nd IEEE Conference on, volume 3, pages 2595--2600 Vol.3, 2003.Google ScholarCross Ref
- Christopher Alberts, Audrey Dorofee, James Stevens, and Carol Woody. Introduction to the octave approach. Technical report, Carneigie Mellon Software Engineering Institute/US Department of Defense, August 2003.Google Scholar
- Jim Alves-Foss and Salvador Barbosa. Assessing computer security vulnerability. SIGOPS Oper. Syst. Rev., 29(3):3--13, July 1995. Google ScholarDigital Library
- A. Arora, D. Hall, C.A. Piato, D. Ramsey, and R. Telang. Measuring the risk-based value of it security solutions. IT Professional, 6(6):35--42, 2004. Google ScholarDigital Library
- Andrea Atzeni and Antonio Lioy. Why to adopt a security metric? A brief survey. In Quality of Protection, 2005.Google Scholar
- Ross Anderson and Tyler Moore. The economics of information security: A survey and open questions. In Fourth bi-annual Conference on the Economics of the Software and Internet Industries, January 2007.Google Scholar
- O.H. Alhazmi and Y.K. Malaiya. Application of vulnerability discovery models to major operating systems. Reliability, IEEE Transactions on, 57(1):14--22, 2008.Google Scholar
- R. Anderson. Why information security is hard - an economic perspective. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual, pages 358--365, 2001. Google ScholarDigital Library
- American National Standards Institute (ANSI) / Internet Security Alliance (ISA). The Financial Impact of Cyber Risk, 2008.Google Scholar
- Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3(3):186--205, 2000. Google ScholarDigital Library
- Rainer Böhme. Validation of predictions with measurements. In Dependability Metrics, pages 14--18. Springer-Verlag, 2008.Google Scholar
- H.K. Browne, W.A. Arbaugh, J. Mchugh, and W.L. Fithen. A trend analysis of exploitations. In Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on, pages 214--229, 2001. Google ScholarDigital Library
- Stefano Bistarelli, DallaglioMarco, and Pamela Peretti. Strategic games on defense trees. In Formal Aspects in Security and Trust, pages 1--15. Springer-Verlag Berlin Heidelberg, 2007. Google ScholarDigital Library
- Rainer Böhme and Felix Freiling. On metrics and measurements. In Dependability Metrics, pages 7--13. Springer-Verlag, 2008.Google Scholar
- Stefano Bistarelli, Fabio Fioravanti, and Pamela Peretti. Defense trees for economic evaluation of security investments. In ARES '06: Proceedings of the First International Conference on Availability, Reliability and Security, pages 416--423, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- V. Bier. Should the model for security be game theory rather than reliability theory? In Communications of the Fourth International Conference on Mathematical Methods in Reliability, 2004.Google Scholar
- Vicki Bier. Game-theoretic and reliability methods in counterterrorism and security. In Statistical Methods in Counterterrorism, pages 23--40. Springer-Verlag New York, 2006.Google ScholarCross Ref
- Ahto Buldas, Peeter Laud, Jaan Priisalu, Märt Saarepera, and Jan Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, pages 235--248. Springer-Verlag Berlin Heidelberg, 2006. Google ScholarDigital Library
- Wayne Boyer and Miles Mcqueen. Ideal based cyber security technical metrics for control systems. In 2nd International Workshop on Critical Information Infrastructures Security, 2007. Google ScholarDigital Library
- Bob Blakley, Ellen Mcdermott, and Dan Geer. Information security is information risk management. In NSPW '01: Proceedings of the 2001 workshop on New security paradigms, pages 97--104, New York, NY, USA, 2001. ACM. Google ScholarDigital Library
- Vicki Bier, Santiago Oliveros, and Larry Samuelson. Choosing what to protect: Strategic defensive allocation against an unknown attacker. Journal of Public Economic Theory, 9(4):563--587, August 2007.Google ScholarCross Ref
- Shawn A. Butler. Security attribute evaluation method: a cost-benefit approach. In ICSE '02: Proceedings of the 24th International Conference on Software Engineering, pages 232--240, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- Ping-Teng Chang and Kuo-Chen Hung. Applying the fuzzy-weighted-average approach to evaluate network security systems. Computers & Mathematics with Applications, 49(11-12):1797--1814, June 2005. Google ScholarDigital Library
- Michael J. Cerullo and Fred A. Shelton. Analyzing the cost-effectiveness of computer controls and security. The internal auditor, pages 30--37, October 1981.Google Scholar
- Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson. Nist performance measurement guide for information security (draft). Technical report, NIST, September 2007.Google Scholar
- M. Dacier, Y. Deswarte, and M. Kaaniche. Quantitative assessment of operational security: Models and tools, 1996.Google Scholar
- R. Dantu, K. Loper, and P. Kolan. Risk management using behavior based attack graphs. In Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on, volume 1, pages 445--449 Vol.1, 2004. Google ScholarDigital Library
- Zaid Dwaikat and Francesco Parisi-Presicce. Risky trust: risk-based analysis of software systems. SIGSOFT Softw. Eng. Notes, 30(4):1--7, July 2005. Google ScholarDigital Library
- Boaz Golany, Edward H. Kaplan, Abraham Marmur, and Uriel G. Rothblum. Nature plays with dice - terrorists do not: Allocating resources to counter strategic versus probabilistic risks. European Journal of Operational Research, In Press, Corrected Proof, 2007.Google Scholar
- Tony H. Grubesic, Timothy C. Matisziw, Alan T. Murray, and Diane Snediker. Comparative approaches for assessing network vulnerability. International Regional Science Review, 31(1):88--112, January 2008.Google ScholarCross Ref
- Christopher Griffin, Bharat Madan, and Kishor Trivedi. State space approach to security quantification. In COMPSAC '05: Proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC'05) Volume 2, pages 83--88, Washington, DC, USA, 2005. IEEE Computer Society.Google ScholarCross Ref
- Kjell Hausken. Protecting complex infrastructures against strategic attackers. Technical report, Faculty of Social Sciences, University of Stavanger, 2007.Google Scholar
- Jonas Hallberg, Niklas Hallberg, and Amund Hunstad. Crossroads and XMASS: Framework and method for system it security assessment. Technical report, FOI, Swedish Defence Research Agency, 2006.Google Scholar
- John Hauser and Gerald Katz. Metrics: you are what you measure! European Management Journal, 16(5):517--528, October 1998.Google Scholar
- S.N. Hamilton, W.N. Miller, A. Ott, and O.S. Saydjari. The role of game theory in information warfare. In 4th Information survivability workshop, (ISW-2001/2002), 2002.Google Scholar
- M. Howard, J. Pincus, and J.M. Wing. Measuring relative attack surfaces. In Proc. of Workshop on Advanced Developments in Software and Systems Security, 2003.Google Scholar
- T. Heyman, R. Scandariato, C. Huygens, and W. Joosen. Using security patterns to combine security metrics. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pages 1156--1163, 2008. Google ScholarDigital Library
- Rolf Hulthén. Communicating the economic value of security investments; value at security risk. In Workshop on the Economics of Information Security, 2008.Google Scholar
- Erland Jonsson and Tomas Olovsson. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering, Vol. 23, No. 4, April, 1997. Google ScholarDigital Library
- Aivo Jürgenson and Jan Willemson. Processing multi-parameter attacktrees with estimated parameter values. In Advances in Information and Computer Security, pages 308--319. Springer-Verlag Berlin Heidelberg, 2007. Google ScholarDigital Library
- Daniel Kahneman. Choices, Values, and Frames. Cambridge University Press, September 2000.Google Scholar
- Mohamed Kaaniche, Y. Deswarte, Eric Alata, Marc Dacier, and Vincent Nicomette. Empirical analysis and statistical modeling of attack processes based on honeypots, Apr 2007.Google Scholar
- Howard Kunreuther and Geoffrey Heal. Interdependent security. Journal of Risk and Uncertainty, 26(2):231--249, March 2003.Google ScholarCross Ref
- Jinyoo Kim, Yashwant K. Malaiya, and Indrakshi Ray. Vulnerability discovery in multi-version software systems. In High Assurance Systems Engineering Symposium, 2007. HASE '07. 10th IEEE, pages 141--148, 2007. Google ScholarDigital Library
- Bilge Karabacak and Ibrahim Sogukpinar. ISRAM: information security risk analysis method. Computers and Security, 24(2):147--159, 2005.Google ScholarDigital Library
- Igor Kotenko and Mihail Stepashkin. Analyzing vulnerabilities and measuring security level at design and exploitation stages of computer network life cycle. In Computer Network Security, pages 311--324. Springer-Verlag Berlin Heidelberg, 2005. Google ScholarDigital Library
- Igor Kotenko and Mikhail Stepashkin. Attack graph based evaluation of network security. In Communications and Multimedia Security, pages 216--227. Springer-Verlag Berlin Heidelberg, 2006. Google ScholarDigital Library
- Daniel Kahneman, Paul Slovic, and Amos Tversky. Judgment under Uncertainty : Heuristics and Biases. Cambridge University Press, April 1982.Google ScholarCross Ref
- Daniel Kahneman, Paul Slovic, and Amos Tversky. Heuristics and Biases: The psychology of intuitive judgement. Cambridge University Press, 2002.Google Scholar
- B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. Mcdermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2:211--229, 1993.Google ScholarDigital Library
- D.J. Leversage and E. James. Estimating a system's mean time-to-compromise. Security & Privacy, IEEE, 6(1):52--60, 2008. Google ScholarDigital Library
- John Lowry. An initial foray into understanding adversary planning and courses of action. DARPA Information Survivability Conference and Exposition,, 1:0123, 2001.Google ScholarCross Ref
- Vincent C.S. Lee and Linyi Shao. Estimating potential it security losses: An alternative quantitative approach. Security & Privacy, IEEE, 4(6):44--52, 2006. Google ScholarDigital Library
- Kong-Wei Lye and Jeannette M. Wing. Game strategies in network security. International Journal of Information Security, 4(1):71--86, February 2005.Google ScholarDigital Library
- Peng Liu, Wanyu Zang, and Meng Yu. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Trans. Inf. Syst. Secur., 8(1):78--118, February 2005. Google ScholarDigital Library
- M.A. Mcqueen, W.F. Boyer, M.A. Flynn, and G.A. Beitel. Time-to-compromise model for cyber risk reduction estimation. In Quality of Protection, 2005.Google Scholar
- Miles A. Mcqueen, Wayne F. Boyer, Mark A. Flynn, and George A. Beitel. Quantitative cyber risk reduction estimation methodology for a small SCADA control system. In HICSS '06: Proceedings of the 39th Annual Hawaii International Conference on System Sciences, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- J. Mcdermott. Attack-potential-based survivability modeling for high-consequence systems. In Information Assurance, 2005. Proceedings. Third IEEE International Workshop on, pages 119--130, 2005. Google ScholarDigital Library
- James W. Meritt. A method for quantitative risk analysis. In Proceedings of the 22nd National Information Systems Security Conference, 1999.Google Scholar
- B.B. Madan, K. Gogeva-Popstojanova, K. Vaidyanathan, and K.S. Trivedi. Modeling and quantification of security attributes of software systems. In Proceedings of the International Conference on Dependable Systems and Networks, pages 505--514, 2002. Google ScholarDigital Library
- Bharat B. Madan, Katerina Goseva-Popstojanova, Kalyanaraman Vaidyanathan, and Kishor S. Trivedi. A method for modeling and quantifying the security attributes of intrusion tolerant systems. Perform. Eval., 56(1-4):167--186, 2004. Google ScholarDigital Library
- J. Mcdermott, A. Kim, and J. Froscher. Merging paradigms of survivability and security: stochastic faults and designed faults. In NSPW '03: Proceedings of the 2003 workshop on New security paradigms, pages 19--25, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- P.K. Manadhata, D.K. Kaynar, and J.M. Wing. A formal model for a systems attack surface. Technical report, Carnegie Mellon University, 2007.Google Scholar
- Peter Mell, Karen Scarfone, and Sasha Romanosky. CVSS: A Complete Guide to the Common Vulnerability Scoring Systems Version 2.0. FIRST: Forum of Incident Response and Security Teams, June 2007.Google Scholar
- B.B. Madan and K.S. Trivedi. Security modeling and quantification of intrusion tolerant systems using attack-response graph. J. High Speed Netw., 13(4):297--308, October 2004. Google ScholarDigital Library
- P.K. Manadhata, K.M.C. Tan, R.A. Maxion, and J.M. Wing. An approach to measuring a systems attack surface. Technical report, School of Computer Science, Carnegie Mellon University, 2007.Google Scholar
- P. Manadhata and J.M. Wing. Measuring a system's attack surface. Technical report, Carnegie Mellon University, 2004.Google Scholar
- P. Manadhata and J. Wing. An attack surface metric. Technical report, Carnegie Mellon University, 2005.Google Scholar
- Dapeng Man, Wu Yang, Yongtian Yang, Wei Wang, and Lejun Zhang. A quantitative evaluation model for network security. In Computational Intelligence and Security, 2007 International Conference on, pages 773--777, 2007. Google ScholarDigital Library
- D.M. Nicol. Modeling and simulation in security evaluation. Security & Privacy, IEEE, 3(5):71--74, 2005. Google ScholarDigital Library
- Syed Naqvi and Michel Riguidel. Quantifiable security metrics for large scale heterogeneous systems. In Carnahan Conferences Security Technology, Proceedings 2006 40th Annual IEEE International, pages 209--215, 2006.Google ScholarCross Ref
- D.M. Nicol, W.H. Sanders, and K.S. Trivedi. Model-based evaluation: from dependability to security. Dependable and Secure Computing, IEEE Transactions on, 1(1):48--65, 2004. Google ScholarDigital Library
- Rodolphe Ortalo, Yves Deswarte, and Mohamed Kaâniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng., 25(5):633--650, September 1999. Google ScholarDigital Library
- Bank of International Settlements. Basel II: International convergence of capital measurement and capital standards: a revised framework. Online publication, June 2006.Google Scholar
- Andy Ozment. Software security growth modeling: Examining vulnerabilities with reliability growth models. In Quality of Protection, 2005.Google Scholar
- Andy Ozment. Improving vulnerability discovery models. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pages 6--11, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- S.C. Payne. A guide to security metrics. Technical report, SANS Institute, 2006.Google Scholar
- Joseph Pamula, Sushil Jajodia, Paul Ammann, and Vipin Swarup. A weakest-adversary security metric for network configuration security analysis. In QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection, pages 31--38, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- Karl R. Popper. The Logic of Scientific Discovery. Springer, 1959.Google ScholarCross Ref
- Victor-Valeriu Patriciu, Iustin Priescu, and Sebastian Nicolaescu. Security metrics for enterprise information systems. Journal of Applied Quantitative Methods, pages 151--159, 2006.Google Scholar
- P.A.S. Ralston, J.H. Graham, and J.L. Hieb. Cyber security risk assessment for SCADA and DCS networks. ISA Transactions, 46(4):583--594, October 2007.Google ScholarCross Ref
- Marianne Swanson, Nadya Bartol, John Sabato, Joan Hash, and Laurie Graffo. Security metrics guide for information technology systems. Technical report, NIST, 2003.Google Scholar
- Bruce Schneier. Attack trees. Dr. Dobb's Journal, 1999.Google Scholar
- Stuart Schechter. Quantitatively differentiating system security. In Workshop on the Economics of Information Security, 2002.Google Scholar
- S.E. Schechter. Toward econometric models of the security risk from remote attacks. Security & Privacy, IEEE, 3(1):40--44, 2004. Google ScholarDigital Library
- Bruce Schneier. The psychology of security, 2007.Google Scholar
- Dan Shen, Genshe Chen, Leonard Haynes, and Erik Blasch. Strategies comparison for game theoretic cyber situational awareness and impact assessment. In Information Fusion, 2007 10th International Conference on, pages 1--8, 2007.Google ScholarCross Ref
- Ketil Stolen, Folker den Braber, Rune Fredriken, Bjorn Axel Gran, Siv-Hilde Houmb, Mass Soldal Lund, Yahhis C. Stamatio, and Jan Oyvind Aagedal. Model-based risk assessment - the coras approach. In Proc. Norsk Informatikkkonferanse (NIK'2002), pages 239--249, 2002.Google Scholar
- Gary Stoneburner, Alice Goguen, and Alexis Feringa. Risk management guide for information technology systems. Technical report, Information Technology Laboratory, National Institute of Standards and Technology, 2002. Google ScholarDigital Library
- Kevin J. Soo Hoo. How Much Is Enough? A Risk-Management Approach to Computer Security. Technical report, Consortium for Research on Information Security and Policy (CRISP), 2000.Google Scholar
- Kevin J. Soo Hoo. How Much Is Enough? A Risk Management Approach to Computer Security. In Workshop on the Economics of Information Security, 2002.Google Scholar
- Bomil Suh and Ingoo Han. The is risk analysis based on a business model. Inf. Manage., 41(2):149--158, 2003. Google ScholarDigital Library
- O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. In Proceedings of 2002 IEEE Symposium on Security and Privacy, pages 273--284, 2002. Google ScholarDigital Library
- Karin Sallhammar, Bjarne E. Helvik, and Sven J. Knapskog. A game-theoretic approach to stochastic security and dependability evaluation. In Dependable, Autonomic and Secure Computing, 2nd IEEE International Symposium on, pages 61--68, 2006. Google ScholarDigital Library
- Karin Sallhammar, Bjarne E. Helvik, and Svein J. Knapskog. A framework for predicting security and dependability measures in real-time. International Journal of Computer Science and Network Security, 7(3):169--183, 2007.Google Scholar
- Herbert A. Simon. A behavioral model of rational choice. The Quarterly Journal of Economics, 69(1):99--118, 1955.Google ScholarCross Ref
- K. Sallhammar, S.J. Knapskog, and B.E. Helvik. Using stochastic game theory to compute the expected behavior of attackers. In Applications and the Internet Workshops, 2005. Saint Workshops 2005. The 2005 Symposium on, pages 102--105, 2005. Google ScholarDigital Library
- Sankalp Singh, James Lyons, and David M. Nicol. Fast model-based penetration testing. In WSC '04: Proceedings of the 36th conference on Winter simulation, pages 309--317. Winter Simulation Conference, 2004. Google ScholarDigital Library
- Laura Painton Swiler, Cynthia Philips, and Philips Gaylor. A graph-based network-vulnerability analysis system. Technical report, SANDIA, 1998.Google Scholar
- Detmar W. Straub. Effective is security: An empirical study. Information Systems research, 1(3):255--276, September 1990.Google ScholarDigital Library
- Gregg Schudel and Bradley Wood. Adversary work factor as a metric for information assurance. In NSPW '00: Proceedings of the 2000 workshop on New security paradigms, pages 23--30, New York, NY, USA, 2000. ACM. Google ScholarDigital Library
- Vilhelm Verendel. A prospect theory approach to security. Technical report, Department of Computer Science and Engineering, Chalmers University of Technology, 2008.Google Scholar
- J. Voas, A. Ghosh, G. Mcgraw, F. Charron, and K. Miller. Defining an adaptive software security metric from a dynamic software failure tolerance measure. In Computer Assurance, 1996. COMPASS '96, 'Systems Integrity. Software Safety. Process Security'. Proceedings of the Eleventh Annual Conference on, pages 250--263, 1996.Google ScholarCross Ref
- Carlos Villarrubia, Eduardo F. Medina, and Mario Piattini. Towards a classification of security metrics. In WOSIS, pages 342--350, 2004.Google Scholar
- Dariusz Wawrzyniak. Information security risk assessment model for risk management. Trust and Privacy in Digital Business, pages 21--30, 2006. Google ScholarDigital Library
- Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, and Sushil Jajodia. An attack graph-based probabilistic security metric. In Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security, pages 283--296. Springer-Verlag Berlin Heidelberg, 2008. Google ScholarDigital Library
- Lingyu Wang, Anoop Singhal, and Sushil Jajodia. Toward measuring network security using attack graphs. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pages 49--54, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- Max Walter and Carsten Trinitis. Quantifying the security of composed systems. Parallel Processing and Applied Mathematics, pages 1026--1033, 2006. Google ScholarDigital Library
- C. Wang and W. Wulf. Towards a framework for security measurement. In NISSC, 1997.Google Scholar
- Fu-Hong Yang, Chi-Hung Chi, and Lin Liu. A risk assessment model for enterprise network security. In Autonomic and Trusted Computing, pages 293--301. Springer-Verlag Berlin Heidelberg, 2006. Google ScholarDigital Library
- A. Yautsiukhin, R. Scandariato, T. Heyman, F. Massacci, and W. Joosen. Towards a quantitative assessment of security in software architectures. In Proceedings of the 13th Nordic Workshop on Secure IT Systems, 2008.Google Scholar
- Guosheng Zhao, Huiqiang Wang, and Jian Wang. A novel quantitative analysis method for network survivability. In Computer and Computational Sciences, 2006. IMSCCS '06. First International Multi-Symposiums on, volume 2, pages 30--33, 2006. Google ScholarDigital Library
Index Terms
- Quantified security is a weak hypothesis: a critical survey of results and assumptions
Recommendations
A Survey on Systems Security Metrics
Security metrics have received significant attention. However, they have not been systematically explored based on the understanding of attack-defense interactions, which are affected by various factors, including the degree of system vulnerabilities, ...
Security metrics for source code structures
SESS '08: Proceedings of the fourth international workshop on Software engineering for secure systemsSoftware security metrics are measurements to assess security related imperfections (or perfections) introduced during software development. A number of security metrics have been proposed. However, all the perspectives of a software system have not ...
An Investigation About the Absence of Validation on Security Quantification Methods
SBSI '15: Proceedings of the annual conference on Brazilian Symposium on Information Systems: Information Systems: A Computer Socio-Technical Perspective - Volume 1To understand the actions that lead to successful attacks and also how they can be mitigated, researchers should identify and measure the factors that influence both attackers and victims. Quantifying security is particularly important to construct ...
Comments