Skip to main content
SpringerLink
Log in

A quantitative assessment of security risks based on a multifaceted classification approach

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Information systems and cloud computing infrastructures are frequently exposed to various types of threats. Without detection and prevention mechanisms, the threats can materialize and cause different types of damages that usually lead to significant financial losses. The threats arise from a complex and multifaceted environment. Currently, organizations are struggling to identify the threats to their information assets and assess the overall damage they might inflict to their systems. In order to empower mangers to better plan for shielding their information systems, the paper presents two main contributions. First, a new approach to threat classification that leads to a security assessment model that is systematic, extendable, and modular. Second, a quantitative analysis of information systems based on the model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. The study examines the costs incurred by 314 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. The report shows that confidentiality data breaches are caused mainly by malicious or criminal attacks.

References

  1. Aggarwal, C., Hinneburg, A., Keim, D.: On the surprising behavior of distance metrics in high dimensional space. In: International Conference on Database Theory (ICDT), vol 1973, Springer, pp. 420–434 (2001)

  2. Alhabeeb, M., Almuhaideb, A., Le, P., Srinivasan, B.: Information security threats classification pyramid. In: IEEE 24th International conference on Advanced Information Networking and Applications Workshops (WAINA), IEEE Xplore Digital Library, pp 208–213 (2010)

  3. Amini, A., Jamil, N., Ahmad, A., Zaba, M.: Threat modeling approaches for securing cloud computing. J. Appl. Sci. 15(7), 953–967 (2015)

    Article  Google Scholar 

  4. Applegate, S., Stavrou, A.: Towards a cyber conflict taxonomy. In: 5th International Conference on Cyber Conflict, IEEE Xplore Digital Library (2013)

  5. Argyropoulos, N., Angelopoulos, K., Mouratidis, H., Fish, A.: Decision-making in security requirements engineering with constrained goal models. Comput. Secur. 10683, 262–280 (2018)

    Article  Google Scholar 

  6. Avižienis, A., Laprie, JC., Randell, B.: Dependability and its threats: a taxonomy. In: IFIP Congress Topical Sessions, pp. 91–120 (2004)

  7. Baldwin, A., Beres, Y., Duggan, G., Mont, M., Johnson, H., Middup, C., Shiu, S.: Economic methods and decision making by security professionals. In: The Tenth Workshop on the Economics of Information Security (WEIS), Springer, pp 213–238 (2013)

  8. Ben Aissa, A.: Vers une mesure économétrique de la sécurité des systémes informatiques. PhD Thesis, Faculty of Sciences of Tunis, Tunis, Tunisia (2012)

  9. Ben Aissa, A., Abercrombie, R., Sheldon, F., Mili, A.: Quantifying security threats and their potential impact: a case study. Innov. Syst. Softw. Eng. 6(1), 269–281 (2010)

    Article  Google Scholar 

  10. Ben Arfa Rabai, L., Jouini, M., Ben Aissa, A., Mili, A.: A cybersecurity model in cloud computing environments. J. King Saud Univ. Comput. Inf. Sci. 25(1), 63–75 (2013)

    Article  Google Scholar 

  11. Chidambaram, V.: Threat modeling in enterprise architecture integration. In: Enterprise Architecture and Business Competitiveness, vol. 2, No. 4 (2004)

  12. Cloud Security Alliance: The treacherous 12 top threats to cloud computing industry insights. Technical Report, Cloud Security Alliance (2017)

  13. Curphey, M., Scambray, J., Olson, E.: Improving web application security: threats and counter measures. Microsoft Corporation, Sytem Computer Services (2003)

  14. Dyer, J.: Remarks on the analytic hierarchy process. Manag. Sci. 36(3), 249–258 (1990)

    Article  MathSciNet  Google Scholar 

  15. EY.: Is cybersecurity about more than protection? Global Information Security Survey 2018–19. Technical Report, EY (2018)

  16. Farahmand, F., Navathe, S., Sharp, G., Enslow, P.: A management perspective on risk of security threats to information systems. Inf. Technol. Manag. Arch. 6(2), 202–225 (2005)

    Google Scholar 

  17. Geric, S., Hutinski, Z.: Information system security threats classifications. J. Inf. Organ. Sci. 1(31), 51–61 (2007)

    Google Scholar 

  18. Howard, M., Leblanc, D.: Writing Secure Code. Microsoft Press, Redmond (2002)

    Google Scholar 

  19. Jouini, M., Ben Arfa Rabai, L., Ben Aissa, A.: Classification of security threats in information systems. In: ANT/SEIT 2014, Procedia Computer Science, vol. 32, pp. 489–496 (2014)

  20. Jouini, M., Ben Arfa Rabai, L., Khedri, R.: A multidimensional approach towards a quantitative assessment of security threats. In: ANT/SEIT 2015, Elsevier, Procedia Computer Science, vol. 52, pp. 507–514 (2015)

  21. Jouini, M., Ben Arfa Rabai, L., Khedri, R.: Software requirements for an ultra large scale system to compute multi dimension mean failure cost. In: PDCAT 2018, Springer, pp. 361–370 (2018)

  22. Kruchten, P.: Architectural blueprints—the “4+1” view model of software architecture. IEEE Softw. 12(6), 42–50 (1995)

    Article  Google Scholar 

  23. Li, Y., Zhou, F., Qin, Y., Lin, M., Xu, Z.: Integrity-verifiable conjunctive keyword searchable encryption in cloud storage. Int. J. Inf. Secur. 17(5), 549–568 (2018)

    Article  Google Scholar 

  24. Lia, J., Lia, M., Wua, D., Song, H.: An integrated risk measurement and optimization model for trustworthy software process management. Inf. Sci. 15(191), 47–60 (2012)

    Article  Google Scholar 

  25. Mavoungou, S., Kaddoum, G., Taha, M., Matar, G.: Survey on threats and attacks on mobile networks. In: Security in Wireless Communications and Networking, IEEE Xplore Digital Library, pp. 4543–4572 (2016)

  26. Mell, P., Grance, T.: The nist definition of cloud computing. Technical Report, National Institute of Standards and Technology (2011)

  27. Munir, R., Disso, J., Awan, I., Mufti, M.: Quantitative enterprise network security risk assessment, broadband and wireless computing. In: BWCCA, pp. 437–442 (2013)

  28. Ou, X., Singhal, A.: Quantitative Security Risk Assessment of Enterprise Networks. SpringerBriefs in Computer Sciencee, Springer (2011)

  29. Ponemon Institute: 2014 cost of data breach study: Global analysis. Technical Report, Ponemon Institute LLC (2014)

  30. Ponemon Institute: Cost of a data breach report 2019. Technical Report, Ponemon Institute (2019)

  31. Pw, C.: Managing cyber risks in an interconnected world: Key finding from the global state of information security survey 2015. Technical Report, PwC (2015)

  32. Pw, C.: Strengthening digital society against cyber shocks: key findings from the global state of information security survey 2018. Technical Report, PwC (2018)

  33. Rashid, M., Mufti, M., Awan, I., Hu, YF., Disso, J.: Detection, mitigation and quantitative security risk assessment of invisible attacks at enterprise network. In: FiCloud, pp. 256–263 (2015)

  34. Ross, R.: Guide for conducting risk assessments. NIST SP-800-30rev1 (2012)

  35. Rudin, C.: Ranking with a p-norm push. In: International Conference on Computational Learning Theory (COLT), vol 4005, pp 589–604, Springer (2006)

  36. Saaty, T.: Decision making with the analytic hierarchy process. Int. J. Serv. Sci. 1(1), 83–98 (2008)

    Google Scholar 

  37. Schlette, D., Bohm, F., Caselli, M., Pernul, G.: Measuring and visualizing cyber threat intelligence quality. Int. J. Inf. Secur. 19(2), 1–18 (2020)

    Google Scholar 

  38. Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(7), 363–373 (2013)

    Article  Google Scholar 

  39. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)

    Article  Google Scholar 

  40. Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond (2004)

    Google Scholar 

  41. Symantec.: Internet security threat report (ISTR). Technical Report, Symantec (2016)

  42. Technical white paper.: Cloud infrastructure architecture case study vmware vsphere 5.0 and vmware vshield app 5.0. Technical Report 1.0, Technical white paper (2012)

  43. Toreini, E., Shahandashti, S., Mehrnezhad, M., Hao, F.: Domtegrity: ensuring web page integrity against malicious browser extensions. Int. J. Inf. Secur. 18(6), 659–679 (2019)

    Article  Google Scholar 

  44. van Staalduinen, M., Khan, F., Gadag, V., Reniers, G.: Functional quantitative security risk analysis (qsra) to assist in protecting critical process infrastructure. Reliab. Eng. Syst. Saf. 157, 23–34 (2017)

    Article  Google Scholar 

  45. Varia, J.: Architecting for the cloud: Best practices. Technical Report, Amazon.com (2011)

  46. von Solms, R., van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013)

    Article  Google Scholar 

  47. Wangen, G., Hallstensen, C., Snekkenes, E.: A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 17(6), 681–699 (2018)

    Article  Google Scholar 

  48. Zio, E., Sanseverino, C.: Security assessment in complex networks exposed to terrorist hazard: a simulation approach. IJCIS 4(1/2), 80–95 (2008)

    Article  Google Scholar 

Download references

Funding

This study was funded by Natural Sciences and Engineering Research Council of Canada—NSERC—(CA) (RGPIN-6115-2014).

Author information

Authors and Affiliations

  1. SMART Laboratory, ISG Tunis, University of Tunis, Tunis, Tunisia

    Mouna Jouini & Latifa Ben Arfa Rabai

  2. College of Business, University of Buraimi, Al Buraimi, Oman

    Latifa Ben Arfa Rabai

  3. Department of Computing and Software, McMaster University, Hamilton, ON, Canada

    Ridha Khedri

Authors
  1. Mouna Jouini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Latifa Ben Arfa Rabai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ridha Khedri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ridha Khedri.

Ethics declarations

Conflict of interest

All authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

This paper presents a revised and extended version of the material presented in  [19].

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Primary threat classification catalog

In this “Appendix,” we developed a catalog (see Table 12) including the primaries perspectives and their dimensions to help users in the assessment of the multiple facets of the problem. The proposed catalog can be extended as other dimensions may be relevant to the security of the system.

Table 12 Primary threat classification catalog
Full size table

Ordinal scale measurement proof

We show that the three properties of Definition 1 are satisfied.

Table 13 Matrix giving probabilities of failure in meeting requirements for site 2
Full size table
Table 14 Matrix giving probabilities of failure in meeting requirements for site 3
Full size table
Table 15 Matrix giving probabilities of components failure for site Site1
Full size table
Table 16 Matrix giving probabilities of components failure for site Site2
Full size table
Table 17 Matrix giving probabilities of components failure for site Site3
Full size table
Table 18 The vector of the threat occurrence probabilities per site
Full size table
  1. 1.

    Proving that .

    figure a
  2. 2.

    Proving that

    figure b
  3. 3.

    Proving that .

    figure c

    Since \(\mu \) is total, for every site we have a score that is a real number. Then every two sites are comparable through their scores.

Multidimension mean failure cost (\(M^{2}\)FC) with regard to components dimension

We deal in this “Appendix” with architectural components dimension. We will show the impact of the dimension Components on the values of the multidimension mean failure cost (\(M^{2}\)FC). In fact, this “Appendix” shows the computation details of the \(M^{2}\)FC.

We generate in this step the matrices giving Probabilities of Failure in meeting Requirements \(\text{ PFR}_{s}\) presented in Tables 13 and 14.

The list of threats relating to the three locations: Site1. Site2, and Site3 are illustrated respectively in the \(C_{s}\) matrices presented in Tables 1516, and 17.

The threats vector for three sites is given in Table 18.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jouini, M., Ben Arfa Rabai, L. & Khedri, R. A quantitative assessment of security risks based on a multifaceted classification approach. Int. J. Inf. Secur. 20, 493–510 (2021). https://doi.org/10.1007/s10207-020-00515-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00515-6

Keywords

Search

Navigation