Towards an efficient vulnerability analysis methodology for better security risk management
dc.contributor.author | Poolsappasit, Nayot, author | |
dc.contributor.author | Ray, Indrajit, advisor | |
dc.contributor.author | Ray, Indrakshi, 1966-, advisor | |
dc.contributor.author | McConnell, Ross M., committee member | |
dc.contributor.author | Jayasumana, Anura P., committee member | |
dc.date.accessioned | 2007-01-03T04:41:49Z | |
dc.date.available | 2007-01-03T04:41:49Z | |
dc.date.issued | 2010 | |
dc.description.abstract | Risk management is a process that allows IT managers to balance between cost of the protective measures and gains in mission capability. A system administrator has to make a decision and choose an appropriate security plan that maximizes the resource utilization. However, making the decision is not a trivial task. Most organizations have tight budgets for IT security; therefore, the chosen plan must be reviewed as thoroughly as other management decisions. Unfortunately, even the best-practice security risk management frameworks do not provide adequate information for effective risk management. Vulnerability scanning and penetration testing that form the core of traditional risk management, identify only the set of system vulnerabilities. Given the complexity of today's network infrastructure, it is not enough to consider the presence or absence of vulnerabilities in isolation. Materializing a threat strongly requires the combination of multiple attacks using different vulnerabilities. Such a requirement is far beyond the capabilities of current day vulnerability scanners. Consequently, assessing the cost of an attack or cost of implementing appropriate security controls is possible only in a piecemeal manner. In this work, we develop and formalize new network vulnerability analysis model. The model encodes in a concise manner, the contributions of different security conditions that lead to system compromise. We extend the model with a systematic risk assessment methodology to support reasoning under uncertainty in an attempt to evaluate the vulnerability exploitation probability. We develop a cost model to quantify the potential loss and gain that can occur in a system if certain conditions are met (or protected). We also quantify the security control cost incurred to implement a set of security hardening measures. We propose solutions for the system administrator's decision problems covering the area of the risk analysis and risk mitigation analysis. Finally, we extend the vulnerability assessment model to the areas of intrusion detection and forensic investigation. | |
dc.format.medium | born digital | |
dc.format.medium | doctoral dissertations | |
dc.identifier | Poolsappasit_colostate_0053A_10071.pdf | |
dc.identifier | ETDF2010100009COMS | |
dc.identifier.uri | http://hdl.handle.net/10217/40477 | |
dc.language | English | |
dc.language.iso | eng | |
dc.publisher | Colorado State University. Libraries | |
dc.relation.ispartof | 2000-2019 | |
dc.rights | Copyright and other restrictions may apply. User is responsible for compliance with all applicable laws. For information about copyright law, please see https://libguides.colostate.edu/copyright. | |
dc.subject | data security | |
dc.subject | security best practice | |
dc.subject | security | |
dc.subject | risk management | |
dc.subject | multi-objective optimization | |
dc.subject | Computer security -- Management | |
dc.subject | Cyberterrorism | |
dc.subject | Information technology -- Risk management | |
dc.subject | Computer networks -- Security measures | |
dc.title | Towards an efficient vulnerability analysis methodology for better security risk management | |
dc.type | Text | |
dcterms.rights.dpla | This Item is protected by copyright and/or related rights (https://rightsstatements.org/vocab/InC/1.0/). You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s). | |
thesis.degree.discipline | Computer Science | |
thesis.degree.grantor | Colorado State University | |
thesis.degree.level | Doctoral | |
thesis.degree.name | Doctor of Philosophy (Ph.D.) |
Files
Original bundle
1 - 1 of 1
Loading...
- Name:
- Poolsappasit_colostate_0053A_10071.pdf
- Size:
- 2.52 MB
- Format:
- Adobe Portable Document Format
- Description: