From Exploit Prediction in the Wild to System-Specific Cyber Security Risk Metrics: Work in Progress
Pages 324 - 325
Abstract
System specific cyber security risk depends on the likelihoods of potential multi-step attacks that combine multiple vulnerabilities and the corresponding losses. These likelihoods are typically obtained under assumptions that exploits of individual vulnerabilities are statistically joint independent random events and the probabilities of these events can be estimated from the data on vulnerability exploits in the wild, e.g., using the Common Vulnerability Scoring System (CVSS). However, these assumptions, which do not account for the inherently adversarial nature of the attacker-defender interactions, may lead to significant inaccuracies in cyber risk estimation and thus result in highly inefficient risk mitigation decisions. We propose a framework for system-specific cyber security risk evaluation, which addresses some of these shortcomings of the conventional risk evaluation techniques by combining public information, e.g., obtained from CVSS, with private information which the system defender may be reluctant to disclose. In the proposed framework, public information on the vulnerability exploits in the wild determines system-specific cybersecurity risk envelope, and defender estimates system cyber security risk inside this envelope using the available private information on the former attacks.
References
[1]
P. Mell, K. Scarfone, and S. Romanosky, "The Common Vulnerability Scoring System (CVSS) andIts Applicability to Federal Agency Systems," NIST Interagency Report 7435, available at https://nvlpubs.nist.gov/nistpubs/legacy/ir/nistir7435.pdf.
[2]
L. Wang, T. Islam, T. Long, A. Singhal and S. Jajodia, "An Attack Graph Based Probabilistic Security Metrics," 22nd IFIP WG 11.3 Working Conference on Data and Application Security, London, UK, July 2008.
[3]
S. Ahmadi-Javid, Amir, "Entropic value-at-risk: A new coherent risk measure". Journal of Optimization Theory and Applications. 155 (3): 1105--1123, 2012.
[4]
V. Marbukh, "Towards Robust Security Risk Metrics for Networked Systems: Work in Progress," 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), Bordeaux, France, 2021, pp. 658--661.
Index Terms
- From Exploit Prediction in the Wild to System-Specific Cyber Security Risk Metrics: Work in Progress
Recommendations
Government regulations in cyber security: Framework, standards and recommendations
AbstractCyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information) from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information ...
Highlights- We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber security incident management framework and its various ...
Comments
Information & Contributors
Information
Published In
![cover image ACM Conferences](/cms/asset/27ee1c89-e18e-43cb-863d-5336f742f02c/3649153.cover.jpg)
May 2024
345 pages
ISBN:9798400705977
DOI:10.1145/3649153
Copyright © 2024 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 July 2024
Check for updates
Author Tags
Qualifiers
- Poster
- Research
- Refereed limited
Conference
CF '24
Sponsor:
Acceptance Rates
CF '24 Paper Acceptance Rate 33 of 105 submissions, 31%;
Overall Acceptance Rate 273 of 785 submissions, 35%
Upcoming Conference
CF '25
- Sponsor:
- sigmicro
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 35Total Downloads
- Downloads (Last 12 months)35
- Downloads (Last 6 weeks)2
Reflects downloads up to 11 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in