Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Eindhoven, The Netherlands.
Department of Information Engineering and Computer Science, University of Trento, Trento, Italy.
Risk Anal. 2017 Aug;37(8):1606-1627. doi: 10.1111/risa.12864.
Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two-stage attacks whereby the attacker first breaches an Internet-facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of "weaponized" vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach.
当前用于估计网络安全风险的行业标准基于定性风险矩阵,而不是定量风险估计。相比之下,大多数其他行业领域的风险评估旨在得出定量风险估计(例如金融领域的巴塞尔协议 II)。本文提出了一种模型和方法,利用组织安全运营中心的 IT 基础架构中提供的大量数据,定量估计攻击的可能性。我们的方法专门针对由自动工具发起的无目标攻击,这些工具构成了针对用户和组织的绝大多数野外攻击。我们考虑两阶段攻击,攻击者首先突破面向互联网的系统,然后利用目标中的本地漏洞将攻击升级到内部系统。我们的方法将攻击者的能力(即他/她可以利用的“武器化”漏洞的数量)作为一个因素,并可以根据组织的风险承受能力进行调整。我们使用来自大型金融机构的数据来说明我们的方法,并讨论了传统定性风险评估与我们的定量方法之间的显著不匹配。
