On computing enterprise IT risk metrics

Sandeep Bhatt, William Horne, Prasad Rao

Research output: Contribution to journalArticle

Abstract

Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deploy- ment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulner-ability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many com- ponents Defining and computing appropriate vulnerability metrics to support de- cision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individ- ual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used.We present a systematic approach to quantify and automatically com-pute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.

Original languageEnglish (US)
JournalHP Laboratories Technical Report
Issue number26
StatePublished - Feb 28 2011
Externally publishedYes

Fingerprint

Industry
Monitoring
Decision making

Cite this

Bhatt, Sandeep ; Horne, William ; Rao, Prasad. / On computing enterprise IT risk metrics. In: HP Laboratories Technical Report. 2011 ; No. 26.
@article{2a9251763a2b474b8ad91536fca3e75f,
title = "On computing enterprise IT risk metrics",
abstract = "Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deploy- ment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulner-ability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many com- ponents Defining and computing appropriate vulnerability metrics to support de- cision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individ- ual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used.We present a systematic approach to quantify and automatically com-pute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.",
author = "Sandeep Bhatt and William Horne and Prasad Rao",
year = "2011",
month = "2",
day = "28",
language = "English (US)",
journal = "HP Laboratories Technical Report",
number = "26",

}

On computing enterprise IT risk metrics. / Bhatt, Sandeep; Horne, William; Rao, Prasad.

In: HP Laboratories Technical Report, No. 26, 28.02.2011.

Research output: Contribution to journalArticle

TY - JOUR

T1 - On computing enterprise IT risk metrics

AU - Bhatt, Sandeep

AU - Horne, William

AU - Rao, Prasad

PY - 2011/2/28

Y1 - 2011/2/28

N2 - Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deploy- ment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulner-ability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many com- ponents Defining and computing appropriate vulnerability metrics to support de- cision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individ- ual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used.We present a systematic approach to quantify and automatically com-pute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.

AB - Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deploy- ment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulner-ability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many com- ponents Defining and computing appropriate vulnerability metrics to support de- cision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individ- ual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used.We present a systematic approach to quantify and automatically com-pute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.

UR - http://www.scopus.com/inward/record.url?scp=79951878081&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79951878081&partnerID=8YFLogxK

M3 - Article

JO - HP Laboratories Technical Report

JF - HP Laboratories Technical Report

IS - 26

ER -