A Mathematical Framework for Risk Assessment

  • Marco Benini
  • Sabrina Sicari


Risk assessment is an important step in the development of a secure system: its goal is to identify the possible threats to a system, their impact and, henceforth, to evaluate the connected risks. Although several systematic approaches have been developed to perform a risk assessment task, the current methodologies rely on the quantitative evaluations of experts in a substantial way. This paper addresses the problem of detaching the methodology results from the subjective judgements of experts, by formalising a risk assessment methodology in an appropriate mathematical framework that reduces the subjective aspects in experts’ evaluations


Risk Assessment Dependency Graph Mathematical Framework Attack Tree Risk Assessment Procedure 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Redmill, F.: Risk analysis: A subjective process. Engineering Management Journal 12(2) (April 2002) 91–96CrossRefGoogle Scholar
  2. 2.
    Sicari, S., Balzarotti, D., Monga, M.: Assessing the risk of using vulnerable components. In Gollmann, D., Massacci, F., Yautsiukhin, A., eds.: Quality of Protection. Security Measurements and Metrics, New York, NY, USA, Springer-Verlag (June 2006) 65–78Google Scholar
  3. 3.
    Howard, M., Leblanc, D.: Writing Secure Code. Microsoft Press (2003)Google Scholar
  4. 4.
    Moore, A., Ellison, R.: Survivability through intrusion-aware design. Technical Report 2001-TN-001, CERT Coordination Center (2001)Google Scholar
  5. 5.
    Schneier, B.: Modelling security threats. Dr. Dobb’s Journal (December 1999)Google Scholar
  6. 6.
    Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the Octave approach (October 2003)Google Scholar
  7. 7.
    den Braber, F., Dimitrakos, T., Gran, B., Lund, M., Stølen, K., Aagedal, J.: The CORAS methodology: Model-based risk management using UML and UP. In Favre, L., ed.: UML and the Unified Process. IRM Press (2003) 332–357Google Scholar
  8. 8.
    Jenkins, B.: Risk analysis helps establish a good security posture; risk management keeps it that way (1998) White paper.Google Scholar
  9. 9.
    Siu, T.: Risk-eye for the IT security guy (February 2004)Google Scholar
  10. 10.
    Sharp, G., Enslow, P., Navathe, S., Farahmand, F.: Managing vulnerabilities of information system to security incidents. In: ICEC ’03: Proceedings of the 5th International Conference on Electronic Commerce, New York, NY, USA, ACM Press (2003) 348–354Google Scholar
  11. 11.
    Baskerville, R.: Information system security design methods: Implications for information systems development. ACM Computing Survey 25(4) (1993) 375–412CrossRefGoogle Scholar
  12. 12.
    Evans, S., Heinbuch, D., E. Kyle, Piorkowski, J., J. Wallener: Risk-based system security engineering: Stopping attacks with intention. IEEE Security & Privacy Magazine 2(6) (2004) 59–62CrossRefGoogle Scholar
  13. 13.
    Moskowitz, I., Kang, M.: An insecurity flow model. In: NSPW ’97: Proceedings of the 1997 Workshop on New Security Paradigms, New York, NY, USA, ACM Press (1997) 61–74CrossRefGoogle Scholar
  14. 14.
    Noel, S., Jajoidia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: ACSAC ’03: Proceedings of 19th Annual Computer Security Applications Conference, IEEE Computer Society (2003) 86–95Google Scholar
  15. 15.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: SP’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, IEEE Computer Society (2002) 273–284CrossRefGoogle Scholar
  16. 16.
    Benini, M., Sicari, S.: Risk assessment: Intercepting VoIP calls. In: Proceedings of the VIPSI 2007 Venice Conference. (March 2007) To appear.Google Scholar
  17. 17.
    Arshad, S., Shoaib, M., Shah, A.: Web metrics: The way of improvement of quality of non web-based systems. In Arabnia, H.R., Reza, H., eds.: SERP’06: Proceedings of the International Conference on Software Engineering Research and Practice. Volume 2., CSREA Press (2006) 489–495Google Scholar
  18. 18.
    Fenton, N.: Software measurement: A necessary scientific basis. IEEE Transactions on Software Engineering 20(3) (1994) 199–206CrossRefGoogle Scholar
  19. 19.
    Fenton, N., Neil, M.: Making decisions: Bayesian nets and mcda. Knowledge-Based Systems 14(7) (November 2001) 307–325CrossRefGoogle Scholar
  20. 20.
    Biswas, G., Debelak, K., Kawamura, K.: Application of qualitative modelling to knowledge-based risk assessment studies. In Ali, M., ed.: IEA/AIE’89: Proceedings of the Second International Conference on Industrial and Engineering Applications of Artificial Intelligence and Expert Systems. Volume 1., New York, NY, USA, ACM Press (1989) 92–101Google Scholar
  21. 21.
    Sahinoglu, M.: Security meter: A practical decision-tree model to quantify risk. IEEE Security & Privacy 3(3) (May/June 2005) 18–24CrossRefGoogle Scholar

Copyright information

© Springer 2007

Authors and Affiliations

  • Marco Benini
    • 1
  • Sabrina Sicari
    • 1
  1. 1.Dipartimento di Informatica e ComunicazioneUniversit degli Studi dell’InsubriaIT-21100, VareseItaly

Personalised recommendations