On computing enterprise IT risk metrics

Sandeep Bhatt, William Horne, Prasad Rao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components. Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used. We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.

Original languageEnglish (US)
Title of host publicationFuture Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings
PublisherSpringer New York LLC
Pages271-280
Number of pages10
ISBN (Print)9783642214233
DOIs
StatePublished - Jan 1 2011

Publication series

NameIFIP Advances in Information and Communication Technology
Volume354 AICT

Fingerprint

Industry
Monitoring
Decision making
Vulnerability
An enterprise
Connectivity
Data base
IT infrastructure

All Science Journal Classification (ASJC) codes

  • Information Systems and Management

Cite this

Bhatt, S., Horne, W., & Rao, P. (2011). On computing enterprise IT risk metrics. In Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings (pp. 271-280). (IFIP Advances in Information and Communication Technology; Vol. 354 AICT). Springer New York LLC. https://doi.org/10.1007/978-3-642-21424-0_22
Bhatt, Sandeep ; Horne, William ; Rao, Prasad. / On computing enterprise IT risk metrics. Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. Springer New York LLC, 2011. pp. 271-280 (IFIP Advances in Information and Communication Technology).
@inproceedings{f118c8edb9b2465fb35b7d1b8d5cffae,
title = "On computing enterprise IT risk metrics",
abstract = "Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components. Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used. We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.",
author = "Sandeep Bhatt and William Horne and Prasad Rao",
year = "2011",
month = "1",
day = "1",
doi = "https://doi.org/10.1007/978-3-642-21424-0_22",
language = "English (US)",
isbn = "9783642214233",
series = "IFIP Advances in Information and Communication Technology",
publisher = "Springer New York LLC",
pages = "271--280",
booktitle = "Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings",

}

Bhatt, S, Horne, W & Rao, P 2011, On computing enterprise IT risk metrics. in Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. IFIP Advances in Information and Communication Technology, vol. 354 AICT, Springer New York LLC, pp. 271-280. https://doi.org/10.1007/978-3-642-21424-0_22

On computing enterprise IT risk metrics. / Bhatt, Sandeep; Horne, William; Rao, Prasad.

Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. Springer New York LLC, 2011. p. 271-280 (IFIP Advances in Information and Communication Technology; Vol. 354 AICT).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - On computing enterprise IT risk metrics

AU - Bhatt, Sandeep

AU - Horne, William

AU - Rao, Prasad

PY - 2011/1/1

Y1 - 2011/1/1

N2 - Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components. Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used. We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.

AB - Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components. Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used. We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.

UR - http://www.scopus.com/inward/record.url?scp=79960850600&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79960850600&partnerID=8YFLogxK

U2 - https://doi.org/10.1007/978-3-642-21424-0_22

DO - https://doi.org/10.1007/978-3-642-21424-0_22

M3 - Conference contribution

SN - 9783642214233

T3 - IFIP Advances in Information and Communication Technology

SP - 271

EP - 280

BT - Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings

PB - Springer New York LLC

ER -

Bhatt S, Horne W, Rao P. On computing enterprise IT risk metrics. In Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. Springer New York LLC. 2011. p. 271-280. (IFIP Advances in Information and Communication Technology). https://doi.org/10.1007/978-3-642-21424-0_22