Dynamic Security Risk Management Considering Systems Structural and Probabilistic Attributes

Document Type : Special Issue


Data and Communication Security Lab., Computer Engineering Department, Ferdowsi University of Mashhad, Mashhad, Iran


Today’s cyber-attacks are getting more sophisticated and their volume is consistently growing. Organizations suffer from various attacks in their lifetime each of which exploiting different vulnerabilities, therefore, preventing them all is not affordable nor effective. Hence, selecting the optimal set of security countermeasures to protect IT assets from being compromised is a challenging task which requires various considerations such as vulnerabilities characteristics, countermeasures effectiveness, existing security policies and budget limitations. In this paper, a dynamic security risk management framework is presented which identifies the optimal risk mitigation plans for preventing ongoing cyber-attacks regarding limited budget. Structural and probabilistic analysis of system model are conducted in two parallel and independent aspects in which the most probable system's risk hotspots are identified. Suitability of countermeasures are also calculated based on their ability in covering vulnerabilities and organizational security policies. Moreover, a novel algorithm for dynamically conducting cost-benefit analysis is proposed which identifies optimal security risk mitigation plans. Finally, practical applicability is ensured by using a case study.


Main Subjects

[1]   Ross, R., "Guide for conducting risk assessments NIST special publication 800-30 revision 1", US Dept. Commerce, NIST, Gaithersburg, MD, USA, Tech. Rep, 2012.
[2]   Wheeler, E., Security risk management: Building an information security risk management program from the Ground Up. Elsevier, 2011.
[3]   Kuzminykh, I., Ghita, B., Sokolov, V., and Bakhshi, T., "Information security risk assessment", Encyclopedia, Vol. 1, No. 3, pp. 602–617, 2021.
[4]   Shameli-Sendi, A., Cheriet, M., and Hamou-Lhadj, A., "Taxonomy of intrusion risk assessment and response system", Computers & Security, Vol. 45, pp. 1–16, 2014.
[5]   Shameli-Sendi, A., Aghababaei-Barzegar, R., and Cheriet, M., "Taxonomy of information security risk assessment (ISRA)", Computers & security, Vol. 57, pp. 14–30, 2016.
[6]   Erdogan, G., and Refsdal, A., "A method for developing qualitative security risk assessment algorithms", in International Conference on Risks and Security of Internet and Systems, pp. 244–259, Springer, 2017.
[7]   Dobaj, J., Schmittner, C., Krisper, M., and Macher, G., "Towards integrated quantitative security and safety risk assessment", in International Conference on Computer Safety, Reliability, and Security, pp. 102–116, Springer, 2019.
[8]   Khosravi-Farmad, M., Rezaee, R., Harati, A., and Bafghi, A. G., "Network security risk mitigation using Bayesian decision networks", in 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 267–272, IEEE, 2014.
[9]   Wang, J., Neil, M., and Fenton, N., "A bayesian network approach for cybersecurity risk assessment implementing and extending the fair model", Computers & Security, Vol. 89, pp. 101659, 2020.
[10] Hulitt, E., and Vaughn, R. B., "Information system security compliance to FISMA standard: a quantitative measure", Telecommunication Systems, Vol. 45, No. 2, pp. 139–152, 2010.
[11] Lo, C.-C., and Chen, W.-J., "A hybrid information security risk assessment procedure considering interdependences between controls", Expert Systems with Applications, Vol. 39, No. 1, pp. 247–257, 2012.
[12] Figueira, P. T., Bravo, C. L., and López, J. L. R., "Improving information security risk analysis by including threat-occurrence predictive models", Computers & Security, Vol. 88, pp. 101609, 2020.
[13] CVSS, "Common vulnerability scoring system v3.0: Specification document".
[14] FIRST, "Forum of incident response and security teams". https://www.first.org/.
[15] Khosravi-Farmad, M., Ramaki, A. A., and Bafghi, A. G., "Moving target defense against advanced persistent threats for cybersecurity enhancement", in 2018 8th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 280–285, IEEE, 2018.
[16] Ouassini, A., and Hunter, M., "Advanced Persistent Threats (APTs)", The Handbook of Homeland Security, CRC Press, pp. 163–165, 2023.
[17] Chen, Z., Liu, J., Shen, Y., Simsek, M., Kantarci, B., Mouftah, H. T., and Djukic, P., "Machine learning-enabled IoT security: Open issues and challenges under advanced persistent threats", ACM Computing Surveys, Vol. 55, No. 5, pp. 1–37, 2022.
[18] Hong, J. B., Kim, D. S., Chung, C.-J., and Huang, D., "A survey on the usability and practical applications of graphical security models", Computer Science Review, Vol. 26, pp. 1–16, 2017.
[19] Kaynar, K., "A taxonomy for attack graph generation and usage in network security", Journal of Information Security and Applications, Vol. 29, pp. 27–56, 2016.
[20] Lallie, H. S., Debattista, K., and Bal, J., "A review of attack graph and attack tree visual syntax in cyber security", Computer Science Review, Vol. 35, pp. 100219, 2020.
[21] Shameli-Sendi, A., and Dagenais, M., "Arito: Cyber-attack response system using accurate risk impact tolerance", International journal of information security, Vol. 13, No. 4, pp. 367–390, 2014.
[22] Zahid, M., Inayat, I., Daneva, M., and Mehmood, Z., "A security risk mitigation framework for cyber physical systems", Journal of software: Evolution and Process, Vol. 32, No. 2, pp. e2219, 2020.
[23] Li, S., Tryfonas, T., Russell, G., and Andriotis, P., "Risk assessment for mobile systems through a multilayered hierarchical bayesian network", IEEE transactions on cybernetics, Vol. 46, No. 8, pp. 1749–1759, 2016.
[24] Shameli-Sendi, A., Louafi, H., He, W., and Cheriet, M., "Dynamic optimal countermeasure selection for intrusion response system", IEEE Transactions on Dependable and Secure Computing, Vol. 15, No. 5, pp. 755–770, 2016.
[25] Li, S., Zhao, S., Yuan, Y., Sun, Q., and Zhang, K., "Dynamic security risk evaluation via hybrid bayesian risk graph in cyber-physical social systems", IEEE Transactions on Computational Social Systems, Vol. 5, No. 4, pp. 1133–1141, 2018.
[26] He, W., Li, H., and Li, J., "Unknown vulnerability risk assessment based on directed graph models: a survey", IEEE Access, Vol. 7, pp. 168201–168225, 2019.
[27] Garg, U., Sikka, G., and Awasthi, L. K., "Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities", Computers & Security, Vol. 77, pp. 349–359, 2018.
[28] Hermanowski, D., and Piotrowski, R., "Network risk assessment based on attack graphs", in International Conference on Dependability and Complex Systems, pp. 156–167, Springer, 2021.
[29] Rezaee, R., and Ghaemi Bafghi, A., "A risk estimation framework for security threats in computer networks", Journal of Computing and Security, Vol. 7, No. 1, pp. 19–33, 2020.
[30] Rezaee, R., Bafghi, A. G., and Khosravi-Farmad, M., "A threat risk estimation model for computer network security", in 2016 6th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 223–228, IEEE, 2016.
[31] Presekal, A., Ştefanov, A., Rajkumar, V. S., and Palensky, P., "Attack graph model for cyber-physical power systems using hybrid deep learning", IEEE Transactions on Smart Grid, 2023.
[32] Liu, Y., and Man, H., "Network vulnerability assessment using bayesian networks", in Data mining, intrusion detection, information assurance, and data networks security 2005, Vol. 5812, pp. 61–71, International Society for Optics and Photonics, 2005.
[33] Frigault, M., and Wang, L., "Measuring network security using bayesian network-based attack graphs", in 2008 32nd Annual IEEE International Computer Software and Applications Conference, pp. 698–703, IEEE, 2008.
[34] Poolsappasit, N., Dewri, R., and Ray, I., "Dynamic security risk management using bayesian attack graphs", IEEE Transactions on Dependable and Secure Computing, Vol. 9, No. 1, pp. 61–74, 2011.
[35] Feng, N., Wang, H. J., and Li, M., "A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis", Information sciences, Vol. 256, pp. 57–73, 2014.
[36] Le, A., Chen, Y., Chai, K. K., Vasenev, A., and Montoya, L., "Incorporating fair into bayesian network for numerical assessment of loss event frequencies of smart grid cyber threats", Mobile Networks and Applications, Vol. 24, No. 5, pp. 1713–1721, 2019.
[37] Al-Hadhrami, N., Collinson, M., and Oren, N., "A subjective network approach for cybersecurity risk assessment", in 13th International Conference on Security of Information and Networks, pp. 1–8, 2020.
[38] Ramaki, A. A., Khosravi-Farmad, M., and Bafghi, A. G., "Real time alert correlation and prediction using Bayesian networks", in 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 98–103, IEEE, 2015.
[39] Chen, Y. Y., Xu, B., and Long, B., "Information security assessment of wireless sensor networks based on bayesian attack graphs", Journal of Intelligent & Fuzzy Systems, Vol. 41, No. 3, pp. 4511–4517, 2021.
[40] Meyur, R., "A bayesian attack tree based approach to assess cyber-physical security of power system", in 2020 IEEE Texas Power and Energy Conference (TPEC), pp. 1–6, IEEE, 2020.
[41] Khosravi-Farmad, M., Ramaki, A. A., and Bafghi, A. G., "Risk-based intrusion response management in ids using bayesian decision networks", in 2015 5th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 307–312, IEEE, 2015.
[42] Behbehani, D., Komninos, N., Al-Begain, K., and Rajarajan, M., "Cloud enterprise dynamic risk assessment (CEDRA): a dynamic risk assessment using dynamic bayesian networks for cloud environment", Journal of Cloud Computing, Vol. 12, No. 1, 2023.
[43] Nespoli, P., Papamartzivanos, D., Mármol, F. G., and Kambourakis, G., "Optimal countermeasures selection against cyber attacks: A comprehensive survey on reaction frameworks", IEEE Communications Surveys & Tutorials, Vol. 20, No. 2, pp. 1361–1396, 2017.
[44] Noel, S., Jajodia, S., O’Berry, B., and Jacobs, M., "Efficient minimum-cost network hardening via exploit dependency graphs", in 19th Annual Computer Security Applications Conference, 2003. Proceedings., pp. 86–95, IEEE, 2003.
[45] Jha, S., Sheyner, O., and Wing, J., "Two formal analyses of attack graphs", in Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15, pp. 49–63, IEEE, 2002.
[46] Dewri, R., Poolsappasit, N., Ray, I., and Whitley, D., "Optimal security hardening using multi-objective optimization on attack tree models of networks", in Proceedings of the 14th ACM conference on Computer and communications security, pp. 204–213, 2007.
[47] Khosravi-Farmad, M., and Ghaemi-Bafghi, A., "Bayesian decision network-based security risk management framework", Journal of Network and Systems Management, Vol. 28, No. 4, pp. 1794–1819, 2020.
[48] Chung, C.-J., Khatkar, P., Xing, T., Lee, J., and Huang, D., "Nice: Network intrusion detection and countermeasure selection in virtual network systems", IEEE transactions on dependable and secure computing, Vol. 10, No. 4, pp. 198–211, 2013.
[49] Schilling, A., and Werners, B., "Optimal selection of it security safeguards from an existing knowledge base", European Journal of Operational Research, Vol. 248, No. 1, pp. 318–327, 2016.
[50] Kotenko, I., and Doynikova, E., "Selection of countermeasures against network attacks based on dynamical calculation of security metrics", The Journal of Defense Modeling and Simulation, Vol. 15, No. 2, pp. 181–204, 2018.
[51] Nessus, "Nessus vulnerability scanner", Available on, https://www.tenable.com/products/nessus.
[52] OpenVAS, "Open vulnerability assessment scanner", Available on, http://www.openvas.org/.
[53] Retina, "Retina network security vulnerability scanner", Available on, https://www.beyondtrust.com/products/retinanetwork- security-scanner/.
[54] NVD, "NIST US national vulnerability database (NVD)", Available on, https://nvd.nist.gov/.
[55] CVE, "Common vulnerabilities and exposures (CVE)", Available on, https://cve.mitre.org/.
[56] Nmap, "Nmap, the network mapper", Available on, https://nmap.org/.
[57] Ou, X., Govindavajhala, S., Appel, A. W., et al., "Mulval: A logic-based network security analyzer", in USENIX security symposium, Vol. 8, pp. 113–128, Baltimore, MD, 2005.
[58] Jajodia, S., and Noel, S., "Topological vulnerability analysis", in Cyber situational awareness, pp. 139–154, Springer, 2010.
[59] Russell, S., and Norvig, P., "Artificial intelligence: A modern approach, global edition 4th", Foundations, Vol. 19, pp. 23, 2021.
[60] Khosravi-Farmad, M., Rezaee, R., and Bafghi, A. G., "Considering temporal and environmental characteristics of vulnerabilities in network security risk assessment", in 2014 11th International ISC Conference on Information Security and Cryptology, pp. 186–191, IEEE, 2014.
[61] Koller, D., and Friedman, N., Probabilistic graphical models: principles and techniques. MIT press, 2009.
[62] GeNIe, "GeNIe modeler, bayesfusion, llc", Available on, https://www.bayesfusion.com/