Key points are not available for this paper at this time.
This paper presents a probabilistic model-based approach aimed at evaluating quantitative measures to assess the security risks faced by an information system in operation. The proposed approach takes into account the impact of three environmental factors and their interdependencies: the vulnerability life cycle, the behavior of the attackers and the behavior of the system administrator. Several quantitative security measures are defined and evaluated. Two different scenarios are distinguished corresponding to the case where the system vulnerabilities are discovered by a malicious user or by a non malicious user. The proposed models are based on stochastic activity networks and describe the system states resulting from the combined modeling of the three external factors. Five states are distinguished (vulnerable, exposed, compromised, patched and secure) and probability measures are associated to these states to assess the level of risk faced by the system as a result of the vulnerability exploitation process. The parameters of the models, e.g. those characterizing the occurrence of vulnerability life cycle events, are derived from the analysis of public information recorded in vulnerability databases. Several sensitivity analyses are carried out for the two scenarios, in order to quantify and illustrate the impact of various parameters, including the probability of security patch application, the attack rate, etc.
Marconato et al. (Mon,) studied this question.