A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management
Abstract
:1. Introduction
- with an extremely simple web-based user-interface, implemented as a web application (with no need for local machine installation);
- standard-compliant because it follows the NIST 800-30;
- that is able to provide a ready-to-distribute reports and statistics, along with vulnerability details for all the assets, giving to the user a complete view of the cyber health status of system.
- the combination of Vulnerability Assessment and Risk Analysis: the former is based on OpenVas (an open source vulnerability scanning and management solution), while the latter is custom-programmed;
- the capability to predict values of Impact and Likelihood for every vulnerability, using 3 different algorithms (Average, Matrix Factorization and a Custom Algorithm) which take advantage of the aggregate information about what other users have done—note that CYRVM’s user interface provides such predictions as “suggestions” which end users may eventually override.
2. State of the Art
2.1. Risk Management
2.2. Prediction
2.3. Shared Information
3. Cyber Security Management in CYRVM
- It is easily reached by every browser web and It does not need any other installation on your machine;
- It is standard because it follows the NIST 800-30;
- It is able to integrate Vulnerability Assessment through the import of OpenVas (a free framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution) report;
- It lists all the vulnerabilities for all the assets giving to the user a complete view in terms of integrity and confidentiality;
- It calculates the probability of an event and an estimation of the impact on the system;
3.1. Implemented Methodology
- Characterization of the system. In this step the boundaries of the system are identified, along with the resources and the information that constitutes it.
- Threats Identification. The goal of this step is to identify the potential threat-sources and compile a threat statement listing potential threat-sources that are applicable to the system being evaluated.
- Vulnerabilities identification. The objective of this step is to derive a list of the system vulnerabilities (observations) that could be exercised by the potential threat-sources.
- Controls analysis. The goal of this step is to analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability;
- Events Likelihood Analysis. The objective of this step is to derive a likelihood rating score for each vulnerability Threat-source motivation and capability, nature of the vulnerability, current controls applied to the vulnerability;
- Events Impact Analysis. The next major step in measuring level of risk is to determine the adverse impact resulting from a successful threat exercise of a vulnerability after obtaining information such as System mission (e.g., the processes performed), System and data dangerousness (e.g., the system’s value or importance to an organization), System and data sensitivity.
- Risk determination. The purpose of this step is to assess the level of risk to the system.
- Recommended Controls. During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are provided.
- Final documentation. Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks assessed, and recommended controls provided), the results should be documented in an official report or briefing.
3.2. Software Architecture
3.3. Database Structure
- the first group is composed of values given by OpenVas (or similar software) that is able to give for every vulnerability its severity and Quality of Detection (in Figure 4). These values for the vulnerability have a range between 0 and 10 (where 0 is the lowest and 10 is the highest), whereas the Quality of Detection can have a range from 0% to 99.9%.
- the second group is composed of values calculated by the software platform for Impact and Likelihood (in Figure 5). These values can be (null) if the particular vulnerability is not present in a particular system, or 1, 2, 3, 4 or 5 that mean Very Low, Low, Medium, High, Very High.
- the third group is composed of weights. In fact, considering choices of the user, every Impact and Likelihood value is saved with a different importance (in Figure 6). Values can be 0 or 1 if the weight is minimum or maximum. In the following chapters we will better analyze this point.
3.4. Impact and Likelihood Collaborative Prediction
3.4.1. Average Algorithm
- GetRecord is used in order to save all the vulnerabilities with their severity and Quality of Detection starting from the Openvas report.
- GiveSys and GiveVuln are used in order to calculate the number of systems and of vulnerabilities of the DB.
- InsertRecord is used in order to insert the record taken by the Openvas report into the DB. Insert a new record means not only create a new record in each table but adding new columns in case of new vulnerabilities.
- averageImp and averageLike are the core functions of the algorithm because are able to calculate the means of Impact and Likelihood values loaded into the DB. In case of first occurrence of a particular vulnerability (so in case of mean equal to 0) the value presented to the user is 3 (Medium).
Algorithm 1 Average algorithm. |
1: ImpactNew: array of int; 2: 3: LikelihoodNew: array of int; 4: 5: RecordNew = GetRecord("../report.xml"); 6: 7: NumberSys=GiveSys(); 8: 9: everyVuln=GiveVuln(); 10: 11: InsertRecord(RecordNew); 12: 13: i=0; 14: 15: for everyVuln do 16: 17: ImpactNew[i] = averageImp(NumberSys); 18: 19: LikelihoodNew[i] = averageLike(NumberSys); 20: 21: i+1; 22: 23: end for 24: 25: return = ImpactNew, LikelihoodNew; |
3.4.2. Matrix Factorization Algorithm
Algorithm 2 Matrix Factorization algorithm. |
1: ImpactNew: array of int; 2: 3: LikelihoodNew: array of int; 4: 5: RecordNew = GetRecord("../report.xml"); 6: 7: NumberSys=GiveSys(); 8: 9: InsertRecordMF(RecordNew); 10: 11: ImpactNew=MatrixFactImpact(); 12: 13: LikelihoodNew=MatrixFactLikelihood(); 14: 15: return = ImpactNew, LikelihoodNew; |
- InsertRecordMF that is very similar to InsertRecord of the Algorithm 1 because It is able to add information about new vulnerabilities. In addition to this It is able to add a record of 0 in the two tables Impact and Likelihood;
- MatrixFactImpact and MatrixFactLikelihood are the functions that implement the Matrix Factorization algorithm. Through this algorithm the 0 values, inserted in a new record into the Impact and Likelihood tables by InsertRecordMF, are changed considering all the other user choices. These values are normalized and presented to the user.
3.4.3. Custom Algorithm
- find in the DB the nearest system (in term of number of common vulnerabilities and severity and Quality of Detection) to the new one;
- calculate, for every vulnerability, differences between these two systems (we call them slot);
- take the values of impact and likelihood of the common vulnerabilities and apply the calculating slot;
- if new vulnerabilities are present calculate with matrix factorization the values of Impact and likelihood.
Algorithm 3 Custom algorithm. |
1: Slot: array of int; 2: 3: ImpactNew: array of int; 4: 5: LikelihoodNew: array of int; 6: 7: RecordNew = GetRecord("../report.xml"); 8: 9: NumberSys=GiveSys(); 10: 11: everyVuln=GiveVuln(); 12: 13: InsertRecord(RecordNew); 14: 15: RecordWinner = FindWinner(RecordNew); 16: 17: RecordWinnerImpact = GetImpact(RecordNew); 18: 19: RecordWinnerLikelihood = GetLikelihood(RecordNew); 20: 21: TableRecordVuln = CreateTableVuln(RecordWinner, RecordNew); 22: 23: TableRecordQoD = CreateTableQoD(RecordWinner, RecordNew); 24: 25: TableRecordMatrixVuln = MatrixFactorizationC(TableRecordVuln); 26: 27: TableRecordMatrixQoD = MatrixFactorizationC(TableRecordQoD); 28: 29: i=0; 30: 31: for everyVuln do 32: 33: Slot[i] = slotCalculation(TableRecordMatrixVuln, TableRecordMatrixQoD); 34: 35: SlotApplication(ImpactNew[i], LikelihoodNew[i], RecordWinnerLikelihood, RecordWinnerImpact, Slot[i]); 36: 37: i+1; 38: 39: end for 40: 41: if differentVuln() then 42: 43: MatrixFactImp(ImpactNew, RecordWinnerImpact); 44: 45: MatrixFactLike(LikelihoodNew, RecordWinnerLikelihood); 46: 47: end if 48: 49: return = ImpactNew, LikelihoodNew; |
- RecordWinnner. This function is used in order to find in the DB the nearest system (in terms of severity and Quality of Detection of vulnerabilities) to the new one. The idea in this case is: can I use the information of another system that is very similar to the new one? For this reason, for each vulnerabilities, this function does an algebraic sum of values of severity and QoD finding the system that have the minimum difference.
- GetImpact and GetLikelihood find the corresponding values of Impact and Likelihood for the winner system.
- CreateTableVuln and CreateTableQod. These two functions create two particular tables composed by two rows (the first one for the Winner system, the second one for the new system) and by N columns, where N is the number of Vulnerabilities into the DB. In the first table are inserted the values of the severities of the systems whereas in the second one the Qod values. In addition to this a 0 is placed when there is an unknown value.
- MatrixFactorizationC is a function that applied the Matrix factorization to the tables produced by the previous functions.
- slotCalculation. It is the core function of the algorithm because It is able to calculate a value (here called slot) that represents how different is that vulnerability between the two systems. In fact the idea is to take the common vulnerabilities between the new system and the WINNER system and, if It is needed, increment or decrease their impact/likelihood values basing on the few differences of the systems.
- SlotApplication applies the calculated slots to the impact and likelihood values of the WINNER system.
- MatrixFactImp and MatrixFactLike are used for the calculation of impact and likelihood values for those vulnerabilities that the new system has and are not present in the WINNER one.
4. Validation and Results
4.1. Comparison of the Algorithms
- Average. It is the simplest way to solve the problem because, considering a particular vulnerability, it gives an idea of the value of Impact and Likelihood for a new system starting from the saved data. But It is not able to consider the difference between two or more systems, or the case of a system with atypical values (this is the limit of the arithmetic mean).
- Matrix Factorization. This is the best mathematical method considering a collaborative filtering approach for the resolution of this type of problem. It considers all values of every systems saved into the DB, considering also strange values. The only problem is that It gives to the system (or systems) nearest to the new one the same importance of the other.
- Custom Algorithm. It can consider a mix of the two others because it finds the system similar to the new one and calculates the Impact and Likelihood values starting from the nearest system one. The only problem is the calculation of Impact and Likelihood values in case of new vulnerability. In fact in that case Matrix Factorization is used (considering only two systems, the new one and the WINNER one). But from a mathematical point of view Matrix Factorization works well if a very large number of data are used and not only two.
4.2. Validation Execution
- is the number of vulnerabilities;
- is the number of systems;
- is the value of Impact (or Likelihood) for vulnerability i of the system j of the Test Set;
- is calculated value of Impact or Likelihood for vulnerability i of the system j;
- 4 is the maximum deviation from the calculated value and the Test Set one;
- Real information. 8 records are composed by 8 real systems with real Vulnerabilities. These networks are:
- a network composed by a CISCO router;
- a network composed by 2 mobile phones with Android 5 connected to another hot-spot mobile phone;
- a network composed by 4 PCs with Windows 10 64bit connected to a LINKEM router;
- a Local Area Network composed by 2 PCs with Ubuntu 14.10;
- an ADSL network composed by a PC with Windows 10 64bit, 2PCs with Windows 7 32bit, 2 mobile phone with Android 5 and 6, a router;
- an ADSL network composed by 4 PCs with Windows 10 64bit, 4 PCs with Windows 7 32bit, a CISCO router;
- a network composed by a router and a PC with Ubuntu Server and 2 PCs with Windows 10 64bit;
- a network composed by a router and a PC with Fedora and 1 PC with Windows 10 64bit;
- Random information. 20 records with vulnerabilities completely randomly generated;
- Structured information. 22 records similar to the first 8 ones. In fact, these systems have some vulnerabilities depending by factors such as Operative Systems non updated or old version of firmware. For this reason, we can reasonably suppose that some other networks can have the some problems or a part of those.
4.3. Results
5. Interaction with the User
- Accept the prediction. In this case the user is completely agree with every values predicted by the software and he does not want to change anything.
- Follow the others. In this case the user does not care about the choices because he trusts in the software (because he does not have the know-out for example). This case seems to be identical to the previous one (in the Impact and Likelihood table the same values will be saved) but, how It can be easily understood It is very different because in this case values are accepted by the user who accepts passively the calculated values.
- Modify your values. In this case the user decides to change just some values, typically where he is more confident, following the software prediction for the other values.
6. Conclusions and Future Works
Author Contributions
Funding
Conflicts of Interest
References
- Baldoni, R.; Querzoni, L.; Montanari, L. Italian Cybersecurity Report—Controlli Essenziali di Cybersecurity. In Proceedings of the CIS Sapienza e Laboratorio Nazionale CINI, Piazzale Aldo Moro, Italy, 2 March 2017. [Google Scholar]
- Jenkins, B.D. Security Risk Analysis and Management—Risk Analysis Helps Establish a Good Security Posture; Risk Management Keeps it that Way; Countermeasures Inc.: Hollywood, CA, USA, 1998. [Google Scholar]
- Biener, C.; Eling, M.; Wirfs, J.H. Insurability of Cyber Risk: An Empirical Analysis. Geneva Pap. Risk Insur. 2015, 40, 131–158. [Google Scholar] [CrossRef]
- Grange, J.S.; Schields, T.; Vandenberg, T.; Zeichner, L. BITS Technology Risk Transfer Gap Analysis Tool; BITS Financial Services Roundtable: Washington, DC, USA, 2002. [Google Scholar]
- Krishnaiyer, K.; Chen, F.F.; Bouzary, H. Cloud Kanban Framework for Service Operations Management. Proced. Manuf. 2018, 17, 531–538. [Google Scholar] [CrossRef]
- Hofmann, E.; Rüsch, M. Industry 4.0 and the current status as well as future prospects on logistics. Comput. Ind. 2017, 89, 23–34. [Google Scholar] [CrossRef]
- Bouzary, H.; Chen, F.F. Service optimal selection and composition in cloud manufacturing: A comprehensive survey. Int. J. Adv. Manuf. Technol. 2018, 97, 795–808. [Google Scholar] [CrossRef]
- Luděk, N.; Petr, D.; Lea, N. Efficient Cyber Risk Management, Auditors Experience. In Proceedings of the International Conference on Organizational Science Development, Organizationa and Uncertainity in the Digital Era, Portorož, Slovenia, 21–23 March 2018. [Google Scholar]
- Crovini, C.; Ossola, G.; Marchini, P.L. Cyber Risk. The New Enemy for Risk Management in the Age of Globalisation. Manag. Control 2018, 2, 135–155. [Google Scholar] [CrossRef]
- Zarreh, A.; Wan, H.D.; Lee, Y.; Saygin, C.; Al Janahi, R. Risk Assessment for Cyber Security of Manufacturing Systems: A Game Theory Approach. In Proceedings of the 29th International Conference on Flexible Automation and Intelligent Manufacturing (FAIM2019), Limerick, Ireland, 24–28 June 2019. [Google Scholar]
- International Organization for Standardization (ISO). Risk Management Guidelines; ISO 31000:2018(E); ISO: Geneva, Switzerland, 2018. [Google Scholar]
- Feringa, A.; Goguen, A.; Stoneburner, G. Risk Management Guide for Information Technology Systems. NIST Special Publication 800 30; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2002.
- FERMA. Standard di Risk Management; Federation of European Risk Management Associations: Brussels, Belgium, 2003. [Google Scholar]
- Groffmann, J.; Seehusen, F. Combining Security Risk Assessment and Security Testing Based on Standards. In Proceedings of the 3rd International Workshop on Risk Assessment and Risk-Driven Testing, RISK 2015, Berlin, Germany, 15 June 2015; Lecture Notes in Computer Science. Springer: Cham, Switzerland; Volume 9488, pp. 18–33. [Google Scholar]
- Erdogan, G.; Li, Y.; Runde, R.; Seehusen, F.; Stolen, K. Approaches for the combined use of risk analysis and testing: A systematic literature review. Int. J. Softw. Tools Technol. Transf. 2014, 16, 627–642. [Google Scholar] [CrossRef]
- Felderer, M.; Schieferdecker, I. A taxonomy of risk-based testing. Int. J. Softw. Tools Technol. Transf. 2014, 16, 559–568. [Google Scholar] [CrossRef] [Green Version]
- Biffis, E.; Chavez, E. Satellite data and machine learning for weather risk management and food security. Risk Anal. 2017, 37, 1508–1521. [Google Scholar] [CrossRef] [PubMed]
- Makov, U.; Weiss, J. Predictive modelling for usage-based auto insurance. In Predictive Modeling Applications in Actuarial Science; International Series on Actuarial Science; Cambridge University Press: Cambridge, UK, 2016; pp. 290–308. [Google Scholar]
- Gareth, W.P. Statistical Machine Learning and Data Analytic Methods for Risk and Insurance. Version 8. 2017. Available online: https://ssrn.com/abstract=3050592 (accessed on 15 July 2019).
- Peters, G.W.; Cohen, R.; Maurice, D.; Shevchenko, P. Understanding Cyber Risk and Cyber Insurance; Macquarie University Faculty of Business and Economics Research Paper. Available online: https://ssrn.com/abstract=3200166 (accessed on 15 July 2019).
- Geluvara, B.; Satwik, P.M.; Ashok Kumar, T.A. The Future of Cybersecurity: Major Role of Artificial Intelligence, Machine Learning, and Deep Learning in Cyberspace. In Proceedings of the International Conference on Computer Networks and Communication Technologies, ICCNCT 2018, Coimbatore, India, 26–27 April 2018; Lecture Notes on Data Engineering and Communications Technologies. Springer: Singapore, 2018; Volume 15, pp. 739–747. [Google Scholar]
- Xi, J.; Li, A.; Wang, M. An efficient non negative matrix factorization model for finding cancer associated genes by integrating data from genome, transcriptome and interactome. In Proceedings of the 52nd Annual Conference on Information Sciences and Systems (CISS), Princeton, NJ, USA, 21–23 March 2018; pp. 1–6. [Google Scholar]
- Takacs, G.; Pilaszy, I.; Tikk, D.; Nemeth, B. Matrix Factorization and Neighbor Based Algorithms for the Netflix Prize Problem. In Proceedings of the 2008 ACM Conference on Recommender Systems, Lausanne, Switzerland, 23–25 October 2008; pp. 267–274. [Google Scholar]
- Koren, Y.; Bell, R.; Volinsky, C. Matrix Factorization Techniques for recommender Systems. Computer 2009, 42, 30–37. [Google Scholar] [CrossRef]
- Polemi, D.; Ntouskas, T.; Georgakakis, E.; Douligeris, C.; Theoharidou, M.; Gritzalis, D. S Port: Collaborative Security Management of Port Information Systems. In Proceedings of the 4th International Conference on Information, Intelligence, Systems and Applications, Piraeus, Greece, 10–12 July 2013; pp. 1–6. [Google Scholar]
- Schauer, S.; Stamer, M.; Bosse, C.; Pavlidis, M. An adaptive supply chain cyber risk management methodology. In Proceedings of the Hamburg International Conference of Logistics (HICL), Hamburg, Germany, 12–14 October 2017; pp. 405–425. [Google Scholar]
- Tosh, D.K.; Shetty, S.; Sengupta, S.; Kesan, J.P.; Kamhoua, C.A. Risk Management Using Cyber-Threat Information Sharing and Cyber-Insurance. In Proceedings of the 7th International EAI Conference on Game Theory for Networks, GameNets 2017, Knoxville, TN, USA, 9 May 2017; Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Springer: Cham, Switzerland; Volume 212, pp. 154–164. [Google Scholar]
- Settannia, G.; Skopika, F.; Shovgenyaa, Y.; Fiedlera, R.; Carolanb, M. A collaborative cyber incident management system for European interconnected critical infrastructures. J. Inf. Secur. Appl. 2017, 34, 166–182. [Google Scholar] [CrossRef]
- Skopik, F.; Settanni, G.; Fiedler, R. The Importance of Information Sharing and Its Numerous Dimensions to Circumvent Incidents and Mitigate Cyber Threats. In Collaborative Cyber Threat Intelligence; Taylor and Francis: London, UK, 2017; Chapter 4; pp. 129–186. [Google Scholar]
- Jensen, C.D. The Importance of Trust in Computer Security. In Proceedings of the Trust Management VIII, 8th IFIP WG 11.11 International Conference, IFIPTM 2014, Singapore, 7–10 July 2014; IFIP Advances in Information and Communication Technology (IFIPAICT). Springer: Berlin/Heidelberg, Germany; Volume 430, pp. 1–12. [Google Scholar]
- Cristin, G.; Nicholas, P. A Framework for Cybersecurity Information Sharing and Risk Reduction; Microsoft Research; Microsoft Corporation: Redmond, WA, USA, 2015. [Google Scholar]
- kumar Bokde, D.; Girase, S.; Mukhopadhyay, D. Role of Matrix Factorization Model in Collaborative Filtering Algorithm: A Survey. Int. J. Adv. Found. Res. Comput. 2014, 1, 111–118. [Google Scholar]
- Jamali, M.; Ester, M. A matrix factorization technique with trust propagation for recommendation in social networks. In Proceedings of the 4th ACM Conference on Recommender Systems, Barcelona, Spain, 26–30 September 2010; pp. 135–142. [Google Scholar]
- Yu, H.-F.; Hsieh, C.-J.; Si, S.; Dhillon, I. Scalable Coordinate Descent Approaches to Parallel Matrix Factorization for Recommender Systems. In Proceedings of the 2012 IEEE 12th International Conference on Data Mining, Brussels, Belgium, 10–13 December 2012; pp. 765–774. [Google Scholar]
- Oggretir, M.; Cemgil, A.T. Comparison of collaborative deep learning and nonnegative matrix factorization for recommender systems. In Proceedings of the 25th Signal Processing and Communications Applications Conference, Antalya, Turkey, 15–18 May 2017; pp. 1–4. [Google Scholar]
- Zhan, J.; Hsieh, C.-L.; Wang, C.; Hsu, T.S.; Liau, C.J.; Wang, D.W. Privacy-Preserving Collaborative Recommender Systems. IEEE Trans. Syst. Man Cybern. 2010, 40, 472–476. [Google Scholar] [CrossRef]
- Kaur, H.; Kumar, N.; Batra, S. An efficient multi-party scheme for privacy preserving collaborative filtering for healthcare recommender system. Future Gener. Comput. Syst. 2018, 86, 297–307. [Google Scholar] [CrossRef]
- Polatidisa, N.; Georgiadisa, C.K.; Pimenidis, E.; Mouratidis, H. Privacy-preserving collaborative recommendations based on random perturbations. Expert Syst. Appl. 2017, 71, 18–25. [Google Scholar] [CrossRef] [Green Version]
- Liu, S.; Liu, A.; Li, Z.; Liu, G.; Xu, J.; Zhao, L.; Zheng, K. Privacy-Preserving Collaborative Web Services QoS Prediction via Differential Privacy. In Proceedings of the Web and Big Data: First International Joint Conference, APWeb-WAIM 2017, Beijing, China, 7–9 July 2017; Lecture Notes in Computer Science. Springer: Cham, Switzerland, 2017; Volume 10366, pp. 200–214. [Google Scholar]
- Nikolaenko, V.; Weinsberg, U.; Joye, M.; Taft, N.; Boneh, D. Privacy-Preserving Matrix Factorization. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, Berlin, Germany, 4–8 November 2013; pp. 801–812. [Google Scholar]
© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Russo, P.; Caponi, A.; Leuti, M.; Bianchi, G. A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management. Information 2019, 10, 242. https://doi.org/10.3390/info10070242
Russo P, Caponi A, Leuti M, Bianchi G. A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management. Information. 2019; 10(7):242. https://doi.org/10.3390/info10070242
Chicago/Turabian StyleRusso, Pietro, Alberto Caponi, Marco Leuti, and Giuseppe Bianchi. 2019. "A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management" Information 10, no. 7: 242. https://doi.org/10.3390/info10070242
APA StyleRusso, P., Caponi, A., Leuti, M., & Bianchi, G. (2019). A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management. Information, 10(7), 242. https://doi.org/10.3390/info10070242