User-Centric Security Assessment of Software Configurations: A Case Study

  title={User-Centric Security Assessment of Software Configurations: A Case Study},
  author={Hamza Ghani and Jesus Luna and Ivaylo Petkov and Neeraj Suri},
Software systems are invariably vulnerable to exploits, thus the need to assess their security in order to quantify the associated risk their usage entails. However, existing vulnerability assessment approaches e.g., vulnerability analyzers, have two major constraints: (a) they need the system to be already deployed to perform the analysis and, (b) they do not consider the criticality of the system within the business processes of the organization. As a result, many users, in particular small… 
3 Citations
Refinement-Aware Generation of Attack Trees
This paper forms the attack-tree generation problem and proposes a methodology to, given a system model, generate attack trees with meaningful levels of abstraction.
New Directions in Attack Tree Research: Catching up with Industrial Needs
A systematic way of characterizing diverse system threats through the use of attack trees and the availability of formal mathematical frameworks for analyzing them in a qualitative or a quantitative manner is provided.


Quantitative assessment of software vulnerabilities based on economic-driven security metrics
  • H. Ghani, Jesus Luna, N. Suri
  • Computer Science, Economics
    2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)
  • 2013
A novel approach for a systematic consideration of the relevant cost units (associated costs) for the economic damage estimation of vulnerability exploits and supports managers and decision makers in the process of prioritizing security investments to mitigate the discovered vulnerabilities.
Improving CVSS-based vulnerability prioritization and response with context information
Adding context information significantly improved the prioritization and selection of vulnerability response process in the National Vulnerability Database and contributed to the discourse on returns on security investment, measurement of security processes and quantitative security management.
Modelling and Analysing Network Security Policies in a Given Vulnerability Setting
An integrated framework for model-based symbolic interpretation, simulation and analysis with a comprehensive approach focussing on the validation of network security policies, that abstract representations of these graphs can be computed that allow comparison of focussed views on the behaviour of the system.
Common Vulnerability Scoring System
The Common Vulnerability Scoring System is a public initiative designed to address this issue by presenting a framework for assessing and quantifying the impact of software vulnerabilities.
Benchmarking cloud security level agreements using quantitative policy trees
This paper proposes a method to benchmark -- both quantitatively and qualitatively -- the Cloud SecLAs of one or more CSPs with respect to a user-defined requirement, also in the form of a SecLA.
Stakeholder Value Driven Threat Modeling for Off the Shelf Based Systems
  • Yue Chen
  • Computer Science
    29th International Conference on Software Engineering (ICSE'07 Companion)
  • 2007
As the trend of the usage of third party commercial-off-the-shelf (COTS) and open source software continuously increases, COTS security has become a major concern for many organizations whose daily
Predictive vulnerability scoring in the context of insufficient information availability
A novel approach for the predictive assessment of security vulnerabilities, taking into consideration the relevant scenarios, e.g., zero day vulnerabilities, is proposed, which is inspired by the Linear Discriminant Analysis and uses publicly available vulnerability databases such as the National Vulnerability Database (NVD) as a training data set.
An Empirically Derived Loss Taxonomy Based on Publicly Known Security Incidents
A preliminary taxonomy of losses related to security incidents is developed, a validation of the enterprise model used as a frame for the analysis and different paths of propagation of causes of incidents are identified.
Security Assessment for Communication Networks of Power Control Systems Using Attack Graph and MCDM
The attack graph and multiple criteria decision-making (MCDM) are introduced to deal with the difficulties of security assessment of power control process, and the security degree of each control step.