A Quantitative Risk Analysis Approach for Deliberate Threats

Vavoulas, Nikos; Xenakis, Christos

doi:10.1007/978-3-642-21694-7_2

Nikos Vavoulas¹⁶ &
Christos Xenakis¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6712))

Included in the following conference series:

International Workshop on Critical Information Infrastructures Security

635 Accesses

Abstract

Recently, organizations around the world are becoming aware of the need to run risk management programs in order to enhance their information security. However, the majority of the existing qualitative/empirical methods fail to adhere to the terminology defined by ISO 27000-series and treat deliberate threats in a misleading way. In this paper, a quantitative risk analysis approach for deliberate threats is introduced. The proposed approach follows the steps suggested by the ISO 27005 standard for risk management, extending them in order to focus on deliberate threats and the different information security incidents that realize them. It is based on three-levels: the conceptual foundation level, the modeling tools level and the mathematical foundation level. The conceptual foundation level defines and analyzes the terminology involved, using unified modeling language (UML) class diagrams. The modeling tools level introduces certain tools that assist in modeling the relations among different concepts. Finally, the mathematical foundation level includes all the different mathematical formulas and techniques used to estimate risk values for each threat.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic

¥17,985 /Month

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Buy Now

Chapter: JPY 3498; Price includes VAT (Japan)

eBook: JPY 5719; Price includes VAT (Japan)

Softcover Book: JPY 7149; Price includes VAT (Japan)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals

Article Open access 25 November 2023

A framework for estimating information security risk assessment method completeness

Article Open access 28 June 2017

Using risk-oriented approaches to solve information security problems

Article 01 December 2015

References

Shneier, B.: Attack Trees: Modeling security threats. Dr. Dobb’s Journal (1999), http://www.schneier.com/paper-attacktrees-ddj-ft.html
Shneier, B.: Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)
Google Scholar
International Organization for Standarization, ISO/IEC 27001, Information Technology – Security Techniques – Information Security Management systems – Requirements (2005)
Google Scholar
International Organization for Standarization, ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security management (2005)
Google Scholar
International Organization for Standardization (ISO), ISO/IEC 27005: Information technology – Security techniques – Information security risk management (2008)
Google Scholar
Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology, NIST (2002)
Google Scholar
Computer Emergency Response Team (CERT), Carnegie Mellon University, Cert Statistics (Historical), http://www.cert.org/stats/
Moore, P.A., Ellison, J.R., Linger, C.R.: Attack Modeling for Information Security and Survivability. Carnegie Mellon University, Technical Note (2001)
Google Scholar
International Organization for Standarization, ISO/IEC 27000, Information technology - Security techniques - Information security management systems - Overview and vocabulary (2009)
Google Scholar
CRAMM User Guide, Version 5.0 & 5.1 (2005), http://www.cramm.com/
Zaobin, G., Jiufei, T., Ping, W., Vijay, V.: A Novel Security Risk Evaluation for Information Systems. In: Proceedings of the 2007 Japan-China Joint Workshop on Frontier of Computer Science and Technology, pp. 67–73 (2007)
Google Scholar
Benini, M., Sicari, S.: Assessing the risk to intercept VoIP calls. Journal of Computer Networks 52(12), 2432–2446 (2008)
Article Google Scholar
Object Management Group (OMG), Unified Modeling Language Specifications, http://www.omg.org/technology/documents/modeling_spec_catalog.htm#UML
The CORAS method, http://coras.sourceforge.net/
OCTAVE Information Security Risk Evaluation, http://www.cert.org/octave/

Download references

Author information

Authors and Affiliations

Department of Digital Systems, University of Piraeus, Greece
Nikos Vavoulas & Christos Xenakis

Authors

Nikos Vavoulas
View author publications
You can also search for this author in PubMed Google Scholar
Christos Xenakis
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Christos Xenakis Stephen Wolthusen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Vavoulas, N., Xenakis, C. (2011). A Quantitative Risk Analysis Approach for Deliberate Threats. In: Xenakis, C., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2010. Lecture Notes in Computer Science, vol 6712. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21694-7_2

Download citation

DOI: https://doi.org/10.1007/978-3-642-21694-7_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21693-0
Online ISBN: 978-3-642-21694-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics