Role of Attacker Capabilities in Risk Estimation and Mitigation

Role of Attacker Capabilities in Risk Estimation and Mitigation

Deepshikha Chhabra (Chandigarh University, India) and Isha Sharma (Chandigarh University, India)
DOI: 10.4018/978-1-5225-6029-6.ch015
OnDemand PDF Download:
No Current Special Offers


This chapter describes how the impacts of risk, or we may say risk exposure, are dependent upon the losses already occurred by the risk and probability to occur. There are various methods for estimating the risks and its impacts. The loss created by the threat can be reduced if the attacker does not have access to the system's objects or resources which are vulnerable to the risk. Attacker capabilities play the major role in the risk estimation and mitigation approach. Use of appropriate knowledge, skill and time to exploit the system or to create the threat comes under Attacker Capability. In this chapter, we will discuss how to include attacker capabilities when the risk estimation or mitigation plan is made. We will conclude the chapter with an appropriate study of various examples which indicate that impacts of risks can be minimised or reduced if we include the attacker capability while estimating the risk impacts and preparing the risk mitigation approach.
Chapter Preview


In today’s world producing the secure information systems is the main agenda of business. The focus of experts is to make the information system with no loopholes and highly accurate and secure. This can be achieved if there is accuracy and precision in the estimation of risk exposure. There are various risk estimation techniques. In the previous risk estimation techniques all the attack scenarios were identified and risk related to each attack was estimated. These types of approaches need high budget. The other approaches such as Octave in which the subset of factors such knowledge, expertise, availability of resources is considered (Octave, 2002). On the other hand, NIST uses factors such as capabilities of attacker and intention of attacker. The drawback of these methods is high difference between estimated and actual value of risk exposure. In these methods the assumption is that attacker has the capability of performing an attack with a condition that he has complete knowledge of the system and availability of the resources. There are basically two types of threats insider and non-insider threats. Insider threats are created by the persons within the organization or the ones who have access to all the resources of the system. This includes stealing the confidential or valuable information. On the other hand, the non-insider threats are created by the persons who do not have direct access to the resources but intend to do so. The key principle of the severity of threat lies in the capability of attacker if he can access the resources or has the capability to reach to the sensitive information. The various examples of threats are illustrated below:

  • Computer Virus: It acts as an agent who has the capability to corrupt and steal data on our personal computer.

  • Rogue Security Software: In this security attack, Attackers (cyber criminals) attempted to hinder the confidentiality of end users banking account.

  • Botnet: In this attack hacker hacks the system connected in an internet using some virus

  • Phishing: Phishing scams refers to fraudulent attempts done by cybercriminals to a private

Table 1.
Related terms
AccessIt refers to the flow of information from source which is susceptible to risk to the target which is attacker in this case (National Computer Security Center (NCSC), 1988)
AssetThe sensitive information or the data which is attacked
Attacker capabilityThe expertise or the ability of the attacker to access or to reach to the set of resources (objects) of the IS to create threat.
ImpactThe loss or the consequences which are incurred when the attack happens. The financial or legal loss which is borne when the attack happens (Dubois et al., 2010)
MeansThe factors such as tools, expertise, and knowledge which are needed to perform actions that cause the threat (Alberts and Dorofee, 2002).
ResourceFiles, data, programs which contains some valuable information.
OpportunitiesThis refers to the chance to perform the attack.
RiskUncertainty leading to loss or we may say threat of an attack.
Risk exposure  A function of the likelihood of the threat and the severity of its impacts (Wheeler, 2011).
Security Policy  The rules which decide the legal and illegal things in a security attack.
ThreatIt is something which has power to cause serious harm to the sensitive data.

Complete Chapter List

Search this Book: