Abstract
This paper proposes a risk assessment process based on distinct classes and estimators, which we apply to a case study of a common communications security risk; a distributed denial of service attack (DDoS) attack. The risk assessment’s novelty lies in the combination both the quantitative (statistics) and qualitative (subjective knowledge-based) aspects to model the attack and estimate the risk. The approach centers on estimations of assets, vulnerabilities, threats, controls, and associated outcomes in the event of a DDoS, together with a statistical analysis of the risk. Our main contribution is the process to combine the qualitative and quantitative estimation methods for cyber security risks, together with an insight into which technical details and variables to consider when risk assessing the DDoS amplification attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
2014–2015 DDoS attack duration and magnitude dataset. Technical report, Akamai Technologies (2015)
Information technology, security techniques, ISMS, overview and vocabulary, ISO/IEC 27000:2014 (2014)
Information technology, security techniques, information security risk management, ISO/IEC 27005:2011 (2011)
Aven, T.: Misconceptions of Risk. Wiley, New York (2011)
Aven, T.: The risk concept - historical and recent development trends. Reliab. Eng. Syst. Saf. 99, 33–44 (2012)
Blakley, B., McDermott, E., Geer, D.: Information security is information risk management. In: Proceedings of the 2001 Workshop on New Security Paradigms, pp. 97–104. ACM (2001)
Caralli, R.A., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing octave allegro: Improving the information security riskassessment process. Technical report, DTIC Document (2007)
Freund, J., Jones, J.: Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann, Newton (2014)
Gregory, P.H.: All in One - CISA - Certified Information Systems Auditor - Exam Guide. McGraw-Hill Companies, New York (2012)
Hilden, A.E.: UDP-Based DDoS Amplification Attacks. Norwegian Security Authority (NSM). Lecture held at NTNU (Gjøvik), 7 October 2015
Kahneman, D.: Thinking, Fast and Slow. Macmillan, New York (2011)
Kaplan, S., Garrick, B.J.: On the quantitative definition of risk. Risk Anal. 1(1), 11–27 (1981)
Pipkin, D.L.: Halting the Hacker: A Practical Guide to Computer Security, 2nd edn. Pearson Education, New York (2003)
Shalaginov, A., Franke, K.: A new method of fuzzy patches construction in neuro-fuzzy for malware detection. In: IFSA-EUSFLAT. Atlantis Press (2015)
Taleb, N.N.: Errors, robustness, and the fourth quadrant. Int. J. Forecast. 25(4), 744–759 (2009)
Taleb, N.N., Swan, T.B.: The Impact of the Highly Improbable, 2nd edn. Random House LLC, New York (2010)
Wangen, G., Hallstensen, C., Snekkenes, E.: A framework for estimating information security risk assessment method completeness - core unified risk framework. Submitted for Review (2016)
Wangen, G., Shalaginov, A.: Quantitative risk, statistical methods and the four quadrants for information security. In: Lambrinoudakis, C., Gabillon, A. (eds.) CRiSIS 2015. LNCS, vol. 9572, pp. 127–143. Springer, Heidelberg (2016). doi:10.1007/978-3-319-31811-0_8
Wangen, G., Snekkenes, E.A.: A comparison between business process management and information security management. In: Paprzycki, M., Ganzha, M., Maciaszek, L. (ed.) Proceedings of the 2014 Federated Conference on Computer Science and Information Systems, vol. 2, pp. 901–910. IEEE (2014). Annals of Computer Science and Information Systems
Acknowledgements
The authors acknowledge Professors Einar Snekkenes, Katrin Franke, and Dr. Roberto Ferreira Lopes from NTNU, Anders Einar Hilden from the Norwegian Security Authority (NSM), Karine Gourdon-Keller, David Fernandez, and Martin McKeay from Akamai. Also, the support from the COINS Research School for InfoSec is highly appreciated. Lastly, we acknowledge the contributions made by the anonymous reviewers.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Wangen, G., Shalaginov, A., Hallstensen, C. (2016). Cyber Security Risk Assessment of a DDoS Attack. In: Bishop, M., Nascimento, A. (eds) Information Security. ISC 2016. Lecture Notes in Computer Science(), vol 9866. Springer, Cham. https://doi.org/10.1007/978-3-319-45871-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-45871-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45870-0
Online ISBN: 978-3-319-45871-7
eBook Packages: Computer ScienceComputer Science (R0)