The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity

The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity

Lanier Watkins (Johns Hopkins University Information Security Institution, Baltimore, USA) and John S. Hurley (National Defense University, Washington D.C., USA)
DOI: 10.4018/978-1-7998-2466-4.ch099


One of the major challenges to an organization achieving a certain level of preparedness to “effectively” combat existing and future cyber threats and vulnerabilities is its ability to ensure the security and reliability of its networks. Most of the existing efforts are quantitative, by nature, and limited solely to the networks and systems of the organization. It would be unfair to not acknowledge that for sure some progress has been achieved in the way that organizations, as a whole, are now positioning themselves to address the threats (GAO 2012). Unfortunately, so have the skill sets and resource levels improved for attackers--they are increasingly getting better at achieving the unwanted access to organizations' information assets. In large part the authors believe that some of this is due to the failure by methods to assess the overall vulnerability of the networks. In addition, significant levels of threats and vulnerabilities beyond organizations' networks and systems are not being given the level of attention that is warranted. In this paper, the authors propose a more comprehensive approach that enables an organization to more realistically assess its “cyber maturity” level in hope of better positioning itself to address existing and new cyber threats. The authors also propose the need to better understand another missing critical piece to the puzzle--the reliability and security of networks in terms of scientific risk-based metrics (e.g., the severity of individual vulnerabilities and overall vulnerability of the network). Their risk-based metrics focus on the probability of compromise due to a given vulnerability; employee non-adherence to company cyber-based policies; insider threats. They are: (1) built on the CVSS Base Score which is modified by developing weights derived from the Analytic Hierarchy Process (AHP) to make the overall score more representative of the impact the vulnerability has on the global infrastructure, and (2) rooted in repeatable quantitative characteristics (i.e., vulnerabilities) such as the sum of the probabilities that devices will be compromised via client-side or server-side attacks stemming from software or hardware vulnerabilities. The authors will demonstrate the feasibility of their method by applying their approach to a case study and highlighting the benefits and impediments which result.
Chapter Preview

The Triad: Citizens, Defense And Intelligence

The 2003 World Summit on the Information Society (WSIS 2003) was a major driver in the significant shift in the view of the oversight of information within an “information society”. It called for a new, radical stakeholder-centric view, in which information was seen as a foundation of an evolving society in which decision making needed to be shared by all. Of course, this represented a significant deviation from the traditional government-driven view in which decisions regarding information should be made by various segments of the government, especially within the defense and intelligence sectors. Unfortunately, recent differences in perspective have led to an unprecedented level (at least, post- September 11th) of mistrust between the three communities: citizens, defense, and intelligence. The differences, however, are largely measured qualitatively. There are very few quantitative approaches used to measure the differences outside of the technical ones (primarily on the networks) and they don’t allow a true overall assessment of vulnerability. A framework like the one proposed in this paper may be a major step in the right direction toward establishing a baseline for trust between these three communities. There are several reasons for this, our framework measures risks: 1) in a repeatable, quantifiable and scientific way and 2) relative to the impact that locally identified vulnerabilities have had on global infrastructures. In other words, our framework can allow potentially disparate organizations (i.e., the Triad) to compare their cyber risks in an “apples to apples” manner.

Complete Chapter List

Search this Book: