Towards Quantitative Risk Management for Next Generation Networks

  • Iztok Starc
  • Denis Trček
Open Access
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7216)


While user dependence on ICT is rising and the information security situation is worsening at an alarming rate, IT industry is not able to answer accurately and in time questions like “How secure is our information system?” Consequently, information security risk management is reactive and is lagging behind incidents. To overcome this problem, risk management paradigm has to change from reactive to active and from qualitative to quantitative. In this section, we present a computerized risk management approach that enables active risk management and is aligned with the leading initiative to make security measurable and manageable. Furthermore, we point out qualitative methods deficiencies and argue about the importance of use of quantitative over qualitative methods in order to improve accuracy of information security feedback information. Finally, we present two quantitative metrics, used together in the model, and enabling a quantitative risk assessment and support risk treatment decision making.


computer security economics of security risk management security metrics security measurement 


  1. 1.
    Bellovin, S.M.: On the Brittleness of Software and the Infeasibility of Security Metrics. IEEE Security & Privacy Magazine 4(4), 96–96 (2006)CrossRefGoogle Scholar
  2. 2.
    Centre for Secure Information Technologies: The World Cyber Security Technology Research Summit Report. Belfast (2011)Google Scholar
  3. 3.
    Cox, L.A.T., Babayev, D., Huber, W.: Some limitations of qualitative risk rating systems. Risk Analysis: An Official Publication of the Society for Risk Analysis 25(3), 651–662 (2005)CrossRefGoogle Scholar
  4. 4.
    Gerber, M., von Solms, R.: Management of risk in the information age. Computers & Security 24(1), 16–30 (2005)CrossRefGoogle Scholar
  5. 5.
    Hariri, S., Dharmagadda, T., Ramkishore, M., Raghavendra, C.S.: Impact analysis of faults and attacks in large-scale networks. IEEE Security & Privacy Magazine 1(5), 49–54 (2003)CrossRefGoogle Scholar
  6. 6.
    HIPAA, Basics of Risk Analysis and Risk Management. Washington, USA (2005)Google Scholar
  7. 7.
    ISO/IEC 15408-1:2009, Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model. ISO/IEC (2009)Google Scholar
  8. 8.
    ISO/IEC 21827:2008, Information technology - Security techniques - Systems Security Engineering - Capability Maturity Model (SSE-CMM). ISO/IEC (2008)Google Scholar
  9. 9.
    ISO/IEC 27000:2009, Information technology - Security techniques - Information security management systems - Overview and vocabulary. ISO/IEC (2009)Google Scholar
  10. 10.
    ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC (2005)Google Scholar
  11. 11.
    ISO/IEC 27002:2005, Information technology - Security techniques - Code of practice for information security management. ISO/IEC (2005)Google Scholar
  12. 12.
    ISO/IEC 27005:2008, Information technology - Security techniques - Information security risk management. ISO/IEC (2008)Google Scholar
  13. 13.
    ISO/IEC TR 15443-2:2005, Information technology - Security techniques - A framework for IT security assurance - Part 2: Assurance methods (2005) Google Scholar
  14. 14.
    Jones, J.R.: Estimating Software Vulnerabilities. IEEE Security & Privacy Magazine 5(4), 28–32 (2007)CrossRefGoogle Scholar
  15. 15.
    Martin, R.A.: Making security measurable and manageable. In: MILCOM 2008 - 2008 IEEE Military Communications Conference, pp. 1–9 (2008)Google Scholar
  16. 16.
    McHugh, J., Fithen, W.L., Arbaugh, W.A.: Windows of vulnerability: a case study analysis. Computer 33(12), 52–59 (2000)CrossRefGoogle Scholar
  17. 17.
    Mell, P., Scarfone, K., Romanosky, S.: Common Vulnerability Scoring System. IEEE Security & Privacy Magazine 4(6), 85–89 (2006)CrossRefGoogle Scholar
  18. 18.
    MITRE Corp., Common Vulnerabilities and Exposures: The Standard for Information Security Vulnerabilities Names, (accessed: November 19, 2011)
  19. 19.
    NIST, National Vulnerability Database: automating vulnerability management, security measurement, and complience checking, (accessed: November 19, 2011)
  20. 20.
    NIST, Security Content Automation Protocol Validated Products (2011), (accessed: November 27, 2011)
  21. 21.
    NIST SP 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 (DRAFT), NIST (2010)Google Scholar
  22. 22.
    Schneier, B.: Attack trees. Dr. Dobb’s Journal (12), 21–29 (1999)Google Scholar
  23. 23.
    Stevens, S.S.: On the Theory of Scales of Measurement. Science 103(2684), 677–680 (1946)CrossRefGoogle Scholar
  24. 24.
    Trček, D.: Security Metrics Foundations for Computer Security. The Computer Journal 53(7), 1106–1112 (2009)CrossRefGoogle Scholar
  25. 25.
    Trček, D.: Computationally Supported Quantitative Risk Management for Information Systems. In: Gülpnar, N., Harrison, P., Rüstem, B. (eds.) Performance Models and Risk Management in Communications Systems (Springer Optimization and Its Applications), p. 258. Springer (2010)Google Scholar

Copyright information

© The Author(s) 2012

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (, which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  • Iztok Starc
    • 1
  • Denis Trček
    • 1
  1. 1.Faculty of Computer and Information ScienceUniversity of LjubljanaSlovenia

Personalised recommendations