Abstract
Empirically measuring security posture of an enterprise is a challenging problem. One has to thoroughly understand external and, internal exposure for a given firm to assess security posture at a given time. Various security metrics are used to model each type of security exposure. Due to the lack of data on internal security metrics for a broad sample of firms, the research community has relied on external, proxy data points to assess the cyber risk of a firm. Recent studies, which attempted to solve this problem either used a small set of enterprises or used artificial datasets. Moreover, we are not aware of any existing approach to assess the security posture of an enterprise using only external and business data. In this paper, we present RiskWriter, a framework to assess the internal security posture of an enterprise using only external and business data. In our study, we measure a set of internal, external and business attributes of around 200,000 firms of different sizes, line of business, locations and security profiles for a period of 12 months. Prediction models were built by deriving, for each company, a comprehensive set of metrics using novel filtering and, normalizing techniques and then building machine learning models to assess the internal security posture of a company using only external and business data. We also evaluate RiskWriter with 2000 enterprises, with a variety of metrics and show that prediction is stable with high accuracy. Specifically for this work, the longitudinal study a broad sample of firms and for a period of one year is done for the first time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ABI Research: Cyber insurance market to reach \$10B by 2020. https://www.advisenltd.com/2015/07/30/abi-research-cyber-insurance-market-to-reach-10b-by-2020/
Romanosky, S., Ablon, L., Kuehn, A., Jones, RT.: Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk? RAND Corporation, Santa Monica (2017). https://www.rand.org/pubs/working_papers/WR1208.html
Bogomolniy, O.: Cyber insurance conundrum: using CIS critical security controls for underwriting cyber risk (2017). https://www.sans.org/reading-room/whitepapers/legal/cyber-insurance-conundrum-cis-critical-security-controls-underwriting-cyber-risk-37572
Pendleton, M., Garcia-Lebron, R., Cho, J.-H., Xu, S.: A survey on systems security metrics. In: ACM Computing Survey, February 2017
Cai, F., Le-Khac, N.-A., Kechadi, M.-T.: Clustering approaches for financial data analysis: a survey. In: Proceeding of the 8th International Conference on Data Mining (DMIN 2012), NE, USA, July 2012
McInnes, L., Healy, J.: Accelerated hierarchical density based clustering. In: 2017 IEEE International Conference on Data Mining Workshops (ICDMW), pp 33–42. IEEE (2017)
Campello, R.J.G.B., Moulavi, D., Sander, J.: Density-based clustering based on hierarchical density estimates. In: Pei, J., Tseng, V.S., Cao, L., Motoda, H., Xu, G. (eds.) PAKDD 2013. LNCS (LNAI), vol. 7819, pp. 160–172. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37456-2_14
Ho, T.K.: Random decision forest. In: Proceedings of the 3rd International Conference on Document Analysis and Recognition, pp. 278–282 (1995)
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (1995)
Liaw, A., Wiener, M.: Classification and regression by randomForest. R News 2(3), 18–22 (2002)
Nagle, F., Ransbotham, S., Westerman, G.: The effects of security management on security events. In: Annual Workshop on the Economics of Information Security (2017)
Liu, Y., et al.: Cloudy with a chance of breach: forecasting cyber security incidents. In: USENIX Security, 1009–1024 (2015)
Kannan, K., Telang, R.: Market for software vulnerabilities? Think again. Manag. Sci. 51(5), 726–740 (2005)
Gupta, A., Zhdanov, D.: Growth and sustainability of managed security services networks: an economic perspective. MIS Q. 36(4), 1109–1130 (2012)
Mahmood, M.A., Siponen, M., Straub, D., Rao, H.R., Raghu, T.S.: Moving toward black hat research in information systems security: an editorial introduction to the special issue. MIS Q. 34(3), 431–433 (2002)
Moore, T., Dynes, S., Chang, F.R.: Identifying how firms manage cybersecurity investment. Southern Methodist University (2015). http://blog.smu.edu/research/files/2015/10/SMU-IBM.pdf
Sarabi, A., Naghizadeh, P., Liu, Y., Liu, M.: Risky business: fine-grained data breach prediction using business profiles. J. Cybersecur. 2(1), 15–28 (2016)
Edwards, B., Hofmeyr, S., Stephanie, F.: Hype and heavy tails: a closer look at data breaches. In: Workshop on the Economics of Information Security, vol. 14 (2015)
Veeramachaneni, K., Arnaldo, I., Cuesta-Infante, A., Korrapati, V., Basslas, C., Li, K.: AI\(^{2}\): training a big data machine to defend. In Proceedings of the 2nd IEEE International Conference on Big Data Security (2016)
Bilge, L., Han, Y., Dell’Amico, M.: RiskTeller: predicting the risk of cyber incidents. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (2017)
Kuppa, A., Grzonkowski, S., Le-Khac, N.-A.: Enabling trust in deep learning models: a digital forensics case study. In: Proceeding of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-18), NY, USA, 1–3 August 2018
Nicolls, V., Chen, L., Scanlon, M., Le-Khac, N.-A.: IPv6 security and forensics. In: Proceeding of the 6th IEEE International Conference on Innovative Computing Technology (INTECH 2016), Dublin, Ireland, August 2016
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Aditya, K., Grzonkowski, S., Le-Khac, NA. (2018). RiskWriter: Predicting Cyber Risk of an Enterprise. In: Ganapathy, V., Jaeger, T., Shyamasundar, R. (eds) Information Systems Security. ICISS 2018. Lecture Notes in Computer Science(), vol 11281. Springer, Cham. https://doi.org/10.1007/978-3-030-05171-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-05171-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05170-9
Online ISBN: 978-3-030-05171-6
eBook Packages: Computer ScienceComputer Science (R0)