Quantitative risk assessment under multi-context environments

Abstract

If you cannot measure it, you cannot improve it. Quantifying security with metrics is important not only because we want to have a scoring system to track our efforts in hardening cyber environments, but also because current labor resources cannot administrate the exponentially enlarged network without a feasible risk prioritization methodology. Unlike height, weight or temperature, risk from vulnerabilities is sophisticated to assess and the assessment is heavily context-dependent.

Existing vulnerability assessment methodologies (e.g. CVSS scoring system, etc) mainly focus on the evaluation over intrinsic risk of individual vulnerabilities without taking their contexts into consideration. Vulnerability assessment over network usually output one aggregated metric indicating the security level of each host. However, none of these work captures the severity change of each individual vulnerabilities under different contexts.

I have captured a number of such contexts for vulnerability assessment. For example, the correlation of vulnerabilities belonging to the same application should be considered while aggregating their risk scores. At system level, a vulnerability detected on a highly depended library code should be assigned with a higher risk metric than a vulnerability on a rarely used client side application, even when the two have the same intrinsic risk. Similarly at cloud environment, vulnerabilities with higher prevalences deserve more attention. Besides, zero-day vulnerabilities are largely utilized by attackers therefore should not be ignored while assessing the risks. Historical vulnerability information at application level can be used to predict underground risks. To assess vulnerability with a higher accuracy, feasibility, scalability and efficiency, I developed a systematic vulnerability assessment approach under each of these contexts. ​