Quantitative analysis for security management
Normally security management can't be noted in the form of exact numeric value, though, it should be rated to analyze the state and to manage security factors as security issues are rising on the web-based technology. Here's a methodology to estimate one's security.
Predictable damage can be derived by this: Cexp = ∑∑Ci(k)×P(k), where Ci(k) means the damage for threat k in i property and P(k) means the possibility threat k can occur. The reality has problems because we cannot get it with credible resource. Then for accuracy, I define some more conceptions. (Bold-style is used to avoid confusion among terms)
T is a set which contains N security technologies. That is, T = { tn | n = 1, 2, ..., N }
S is a set of flags which notify whether each tn is applied. S = {Xt1, Xt2, ..., Xtn}
Xtn = 0(if tn not applied) or 1(if applied)
A is a set of attacks. A = { a1, a2, ..., aM }
K(t, a) is the possibility that t, the security tech. defend against attack a.
W is a set of weight of each attack. W = { wa1, wa2, ..., wan }
Security measure matrix R by R = WK where K = [ K(1, A), K(2,A), ..., K(N,A) ]
We've got the basic concept about quantitative analysis in security management. And we need to adapt it into the reality. The main question is that, how to get K, the possibility of being damaged? Let Es be an affair of tn protecting successfully and Ea be of emerging attack a. Then K(t, a) = P(Es) = ∑P(Es|Ea)P(Ea). Each of value can be acquired from data.
Security measure matrix R is to take an objective conclusion whether importing each of security technology. If RIo, R before adaption, is bigger than RIs, the remaining risk after applying, then it'll shows you why the system needs the security technology.
July 7th, 2009 - 06:37
Hi. I like the way you write. Will you post some more articles?