Conference paper
A Move in the Security Measurement Stalemate: Elo-Style Ratings to Quantify Vulnerability : elo-style ratings to quantify vulnerability
Delft University of Technology1
University of Amsterdam2
Department of Informatics and Mathematical Modeling, Technical University of Denmark3
Computer Science and Engineering, Department of Informatics and Mathematical Modeling, Technical University of Denmark4
Language-Based Technology, Department of Informatics and Mathematical Modeling, Technical University of Denmark5
One of the big problems of risk assessment in information security is the quantification of risk-related properties, such as vulnerability. Vulnerability expresses the likelihood that a threat agent acting against an asset will cause impact, for example, the likelihood that an attacker will be able to crack a password or break into a system.
This likelihood depends on the capabilities of the threat agent and the strength of the controls in place. In this paper, we provide a framework for estimating these three variables based on the Elo rating used for chess players. This framework re-interprets security from the field of Item Response Theory.
By observing the success of threat agents against assets, one can rate the strength of threats and controls, and predict the vulnerability of systems to particular threats. The application of Item Response Theory to the field of risk is new, but analogous to its application to children solving math problems.
It provides an innovative and sound way to quantify vulnerability in models of (information) security.
| Language: | English |
|---|---|
| Publisher: | Association for Computing Machinery |
| Year: | 2012 |
| Pages: | 1-14 |
| Proceedings: | New Security Paradigms Workshop (NSPW 2012)New Security Paradigms Workshop |
| ISBN: | 1450317944 and 9781450317948 |
| Types: | Conference paper |
| DOI: | 10.1145/2413296.2413298 |
| ORCIDs: | Probst, Christian W. |
