Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Allodi, Luca; Massacci, Fabio

doi:10.1111/risa.12864

Cited by 60 publications

(41 citation statements)

References 79 publications

(141 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The use of CVSS is mandated and recommended by many state agencies for assessments in different securitycritical domains [36], including but not limited to medical devices [38] and the payment card industry [2]. The standard has been also incorporated into different governmental security risk, threat, and intelligence systems.…”

Section: Introductionmentioning

confidence: 99%

A look at the time delays in CVSS vulnerability scoring

Ruohonen

2019

Applied Computing and Informatics

View full text Add to dashboard Cite

This empirical paper examines the time delays that occur between the publication of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) information attached to published CVEs. According to the empirical results based on regularized regression analysis of over eighty thousand archived vulnerabilities, (i) the CVSS content does not statistically influence the time delays, which, however, (ii) are strongly affected by a decreasing annual trend. In addition to these results, the paper contributes to the empirical research tradition of software vulnerabilities by a couple of insights on misuses of statistical methodology.

show abstract

Section: Introductionmentioning

confidence: 99%

A look at the time delays in CVSS vulnerability scoring

Ruohonen

2019

Applied Computing and Informatics

View full text Add to dashboard Cite

show abstract

“…Notable for this discussion, only ISO 27031 and NIST (NIST, 2016) provide recommendations for recovery planning, which some of the other frameworks and models have focused on less. A key point to note here is that risk estimation is used for recovery planning, and as such quantitative risk impact estimation (Allodi and Massacci, 2017) is needed for making decisions on topics such as cyber risk insurance (Öğüt, Raghunathan and Menon, 2011). The quantitative risk assessment approaches e.g.…”

Section: Empirical Analysis Of Cyber Security Framework Models and mentioning

confidence: 99%

Future developments in standardisation of cyber risk in the Internet of Things (IoT)

et al. 2020

View full text Add to dashboard Cite

In this research article, we explore the use of a design process for adapting existing cyber risk assessment standards to allow the calculation of economic impact from IoT cyber risk. The paper presents a new model that includes a design process with new risk assessment vectors, specific for IoT cyber risk. To design new risk assessment vectors for IoT, the study applied a range of methodologies, including literature review, empirical study and comparative study, followed by theoretical analysis and grounded theory. An epistemological framework emerges from applying the constructivist grounded theory methodology to draw on knowledge from existing cyber risk frameworks, models and methodologies. This framework presents the current gaps in cyber risk standards and policies, and defines the design principles of future cyber risk impact assessment. The core contribution of the article therefore, being the presentation of a new model for impact assessment of IoT cyber risk. Keywords: Cyber risk; Internet of Things cyber risk; Internet of Things risk vectors;Standardisation of cyber risk assessment; Economic impact assessment. University of OxfordUniversity of Oxford 3 analysis to uncover the best method to define a unified cyber risk assessment. In section 7 we propose a new epistemological framework for cyber risk assessment standardisation and we discuss the new impact assessment principles. In Section 8 we present the conclusions and limitations of the research. METHODOLOGYThe methods applied in this study consist of literature review, comparative study, empirical analysis, theoretical and epistemological analysis and case study workshops. The selection of methodologies is based on their flexibility to be applied simultaneously to analyse the same research topic from different perspectives. We use practical studies of major projects in the I4.0 to showcase recent developments of IoT systems in the context of I4.0 high-tech strategies. We need practical studies to bridge the gaps, to assess the impact and overcome some of the cyber risk limitations and to construct the relationship between IoT and high-tech strategies. The proposed design principles support the process of building a holistic IoT cyber risk impact assessment model. Theoretical analysisThe methodology applies theoretical analysis through logical discourse of knowledge, also known as epistemological analysis. An epistemological analysis enables an investigation on how existing knowledge is justified and what makes justified beliefs justified (Steup, 2005), what does it mean to say that we understand something (Wenning, 2009) and how do we understand that we understand.The methodology reported here has two objectives. The first objective is to enable an up-todate overview of existing and emerging cyber risk vectors from IoT advancements, which includes cyber-physical systems, the industrial Internet of things, cloud computing and cognitive computing (MEICA, 2015;Weyer et al., 2015;Liao et al., 2017). If we were performing a vector specific analysis of r...

show abstract

“…Topics on cyber crime and cyber security are very hot nowadays as the "WannaCry" problem still remains a challenge all around the world. In this special issue, Allodi and Massacci (27) explore how a quantitative risk assessment scheme can be developed for cyber security risk using the big data obtained from the IT security operations centers. To be specific, quantitative probability estimates can be obtained from big data and the authors develop a methodology that helps to specifically address the untargeted attacks toward the organization.…”

Section: Sscsmentioning

confidence: 99%

Advances in Risk Analysis with Big Data

Choi

Lambert

2017

Risk Analysis

View full text Add to dashboard Cite

With cloud computing, Internet-of-things, wireless sensors, social media, fast storage and retrieval, etc., organizations and enterprises have access to unprecedented amounts and varieties of data. Current risk analysis methodology and applications are experiencing related advances and breakthroughs. For example, highway operations data are readily available, and making use of them reduces risks of traffic crashes and travel delays. Massive data of financial and enterprise systems support decision making under risk by individuals, industries, regulators, etc. In this introductory article, we first discuss the meaning of big data for risk analysis. We then examine recent advances in risk analysis with big data in several topic areas. For each area, we identify and introduce the relevant articles that are featured in the special issue. We conclude with a discussion on future research opportunities.

show abstract

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Cited by 60 publications

References 79 publications

A look at the time delays in CVSS vulnerability scoring

A look at the time delays in CVSS vulnerability scoring

Future developments in standardisation of cyber risk in the Internet of Things (IoT)

Advances in Risk Analysis with Big Data

Contact Info

Product

Resources

About