A quantitative CVSS-based cyber security risk assessment methodology for IT systems

M. Ugur Aksu, M. Hadi Dilek, E. Islam Tatli, Kemal Bicakci, H. Ibrahim Dirik, M. Umut Demirezen, Tayfun Aykir

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

59 Citations (Scopus)

Abstract

IT system risk assessments are indispensable due to increasing cyber threats within our ever-growing IT systems. Moreover, laws and regulations urge organizations to conduct risk assessments regularly. Even though there exist several risk management frameworks and methodologies, they are in general high level, not defining the risk metrics, risk metrics values and the detailed risk assessment formulas for different risk views. To address this need, we define a novel risk assessment methodology specific to IT systems. Our model is quantitative, both asset and vulnerability centric and defines low and high level risk metrics. High level risk metrics are defined in two general categories; base and attack graph-based. In our paper, we provide a detailed explanation of formulations in each category and make our implemented software publicly available for those who are interested in applying the proposed methodology to their IT systems.

Original languageEnglish
Title of host publicationProceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017
EditorsJavier Ortega-Garcia, Aythami Morales, Julian Fierrez, Ruben Vera-Rodriguez, Riccardo Lazzeretti
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1-8
Number of pages8
ISBN (Electronic)9781538615850
DOIs
Publication statusPublished - 5 Dec 2017
Externally publishedYes
Event2017 International Carnahan Conference on Security Technology, ICCST 2017 - Madrid, Spain
Duration: 23 Oct 201726 Oct 2017

Publication series

NameProceedings - International Carnahan Conference on Security Technology
Volume2017-October
ISSN (Print)1071-6572

Conference

Conference2017 International Carnahan Conference on Security Technology, ICCST 2017
Country/TerritorySpain
CityMadrid
Period23/10/1726/10/17

Bibliographical note

Publisher Copyright:
© 2017 IEEE.

Keywords

  • attack graphs
  • cyber security risks
  • risk assessment
  • risk metrics
  • vulnerability management

Fingerprint

Dive into the research topics of 'A quantitative CVSS-based cyber security risk assessment methodology for IT systems'. Together they form a unique fingerprint.

Cite this