Abstract
This paper discusses how information about the architecture and the vulnerabilities affecting a distributed system can be used to quantitatively assess the risk to which the system is exposed. Our approach to risk evaluation can be used to assess how much one should believe in system trustworthiness and to compare different solutions, providing a tool for deciding if the additional cost of a more secure component is worth to be afforded.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Christopher Alberts, Audree Dorofee, James Stevens, and Carol Woody. Introduction to the Octave approach, http://www.cert.org/octave/, 2003.
Richard Baskerville. Information system security design methods: Implications for information systems development. ACM Computing Survey, 25(4):375–412, 1993.
Gautam Biswas, Kenneth A. Debelak, and Kazuhiko Kawamura. Application of qualitative modelling to knoweledge-based risk assessment studies. IEA/AIE ‘89: Second International Conference on Industrial & Engineering Applications of Artificial Intelligence & Expert Systems-ACM, pages 92–101, 1989.
B. Jenkins. Risk analysis helps establish a good security posture; risk management keeps it that way. whitepaper, pages 1–16, 1998.
Harvey M. Deitel, Paul J. Deitel, B. DuWaldt, and L. K. Trees. Web Services: A Technical Introduction. Prentice Hall, 2002.
Zaid Dwaikat and Francesco Parisi-Presicce. Risky trust: Risk-based analysis of software system. Proceedings of the first workshop on Software Engineering for Secure Systems (SESS05).
S. Evans, D. Heinbuch, E Kyle, J. Piorkowski,and J. Wallener. Risk-based system security engineering: Stopping attacks with intention. IEEE Security & Privacy, pages 59–62, 2004.
Network Working Group. Internet security glossary, http://rfc.net/rfc2828.html, May 2000. Request for Comments: 2828.
Michael Howard and David Leblanc. Writing secure Code. Microsoft Press, 2003.
Khaled Khan, Jun Han, and Yuliang Zheng. A framework for an active interface to characterize compositional security contracts of software components. 2001 Australian Software Engineering Conference (ASWECOl)-IEEE Computer Society Press, pages 117–126.
I.S. Moskowitz and M.H. Kang. An insecurity flow model. Proceedings of New Security Paradigms workshop, 1997.
S. Noel, S. Jajoidia, B. O‘Berry, and M. Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. Proceedings of ACSAC‘03.
M. Elisabeth Pate-Cornell. Fault tree vs. event trees in reliability analysis. Risk Analysis, 4(3): 177–186, 1984.
Mehmet Sahinoglu. Security meter:a pratical decision-tree model to quantify risk. IEEE Security & Privacy,3(3): 18–24, May/June 2005.
Bruce Schneier. Modelling security threats. Dr. Dobb’s Journal, dec 1999.
Gunter P. Sharp, Philip H. Enslow, Shamkant B. Navathe, and Fariborz Farhmand. Managing vulnerabilities of information system to security incindets. ACM International Conference: 5th international conference on Electronic commerce, pages 348–354, 2003.
O. Sheyner, J. Haines, S.Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P‘02).
Thomas Siu. Risk-eye for IT security guy. Gsec, pages 1–20, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Balzarotti, D., Monga, M., Sicari, S. (2006). Assessing the risk of using vulnerable components. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-36584-8_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29016-4
Online ISBN: 978-0-387-36584-8
eBook Packages: Computer ScienceComputer Science (R0)