ePrints.FRI - University of Ljubljana, Faculty of Computer and Information Science

Proactive risk management in information systems

Andrej Dobrovoljc (2018) Proactive risk management in information systems. PhD thesis.

Download (2223Kb)


    Managing security risks is one of the major challenges in modern information systems. Threats often come via the World Wide Web and are therefore difficult to predict. Thus, attackers can always be a step ahead of us and reactive approach based on known security incidents is not sufficient. A much higher security level can be achieved by active detection and neutralization of software vulnerabilities. When a large number of vulnerabilities are present in the system, they have to be prioritized for removal according to their severity. With a proactive approach, where we foresee which vulnerabilities will be more likely exploited in practice, the highest level of security can be assured. A widely used prioritization policy based upon a CVSS (Common Vulnerability Scoring System) score is frequently criticised for bad effectiveness. The main reason is that the CVSS score alone is not a good predictor of vulnerability exploitation in the wild. One of the key challenges in this area is therefore to identify the indicators of exploitation. Since the exploitation of vulnerability is basically a human threat, it is reasonable to take into account the characteristics of typical attackers. We propose several methods for setting priorities that take this into account. Methods have to be compared according to their effectiveness in risk mitigation. To this end, we have developed a valuation model that allows such comparisons. Proposed methods, which take into account human threats, were compared with the most popular existing methods. In the experiment we used vulnerability data from publicly available databases. Experimental results show that methods which take into account the characteristics of attackers are generally more effective than existing methods. The effectiveness was also confirmed in some real cases of information systems in practice.

    Item Type: Thesis (PhD thesis)
    Keywords: risk, threat, vulnerability, threat agent, quantitative assessment, prioritization policy
    Number of Pages: 123
    Language of Content: Slovenian
    Mentor / Comentors:
    Name and SurnameIDFunction
    prof. dr. Denis Trček1121Mentor
    izr. prof. dr. Borut LikarComentor
    Link to COBISS: http://www.cobiss.si/scripts/cobiss?command=search&base=51012&select=(ID=1537958851)
    Institution: University of Ljubljana
    Department: Faculty of Computer and Information Science
    Item ID: 4273
    Date Deposited: 02 Oct 2018 09:35
    Last Modified: 08 Oct 2018 10:24
    URI: http://eprints.fri.uni-lj.si/id/eprint/4273

    Actions (login required)

    View Item