Welcome to the InfoSci Platform
Reference Hub1
The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity

The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity

Lanier Watkins, John S. Hurley
Copyright: © 2016 |Volume: 6 |Issue: 3 |Pages: 10
ISSN: 1947-3435|EISSN: 1947-3443|EISBN13: 9781466692206|DOI: 10.4018/IJCWT.2016070104
Cite Article Cite Article

MLA

Watkins, Lanier, and John S. Hurley. "The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity." IJCWT vol.6, no.3 2016: pp.43-52. http://doi.org/10.4018/IJCWT.2016070104

APA

Watkins, L. & Hurley, J. S. (2016). The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity. International Journal of Cyber Warfare and Terrorism (IJCWT), 6(3), 43-52. http://doi.org/10.4018/IJCWT.2016070104

Chicago

Watkins, Lanier, and John S. Hurley. "The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity," International Journal of Cyber Warfare and Terrorism (IJCWT) 6, no.3: 43-52. http://doi.org/10.4018/IJCWT.2016070104

Export Reference

Mendeley
Favorite Full-Issue Download

Abstract

One of the major challenges to an organization achieving a certain level of preparedness to “effectively” combat existing and future cyber threats and vulnerabilities is its ability to ensure the security and reliability of its networks. Most of the existing efforts are quantitative, by nature, and limited solely to the networks and systems of the organization. It would be unfair to not acknowledge that for sure some progress has been achieved in the way that organizations, as a whole, are now positioning themselves to address the threats (GAO 2012). Unfortunately, so have the skill sets and resource levels improved for attackers--they are increasingly getting better at achieving the unwanted access to organizations' information assets. In large part the authors believe that some of this is due to the failure by methods to assess the overall vulnerability of the networks. In addition, significant levels of threats and vulnerabilities beyond organizations' networks and systems are not being given the level of attention that is warranted. In this paper, the authors propose a more comprehensive approach that enables an organization to more realistically assess its “cyber maturity” level in hope of better positioning itself to address existing and new cyber threats. The authors also propose the need to better understand another missing critical piece to the puzzle--the reliability and security of networks in terms of scientific risk-based metrics (e.g., the severity of individual vulnerabilities and overall vulnerability of the network). Their risk-based metrics focus on the probability of compromise due to a given vulnerability; employee non-adherence to company cyber-based policies; insider threats. They are: (1) built on the CVSS Base Score which is modified by developing weights derived from the Analytic Hierarchy Process (AHP) to make the overall score more representative of the impact the vulnerability has on the global infrastructure, and (2) rooted in repeatable quantitative characteristics (i.e., vulnerabilities) such as the sum of the probabilities that devices will be compromised via client-side or server-side attacks stemming from software or hardware vulnerabilities. The authors will demonstrate the feasibility of their method by applying their approach to a case study and highlighting the benefits and impediments which result.

Request Access

You do not own this content. Please login to recommend this title to your institution's librarian or purchase it from the IGI Global bookstore.