Scoring Matrix Framework for Threat Factor Profiling Model

 
 
 
  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract


    One of the important requirements in preparing for an information security risk management system is to construct a threat profiling model that can be used to identify and classify threats. The threat profiling model provides an organization with a complete set of information including pattern of threat scenarios and analysis on the threat they encounter. However, an organization must set objectives and results of a threat profiling, as well as metrics in order to measure, appreciate and counter the potential threats. The main contribution of this paper is the framework of the threat scoring which extends our previous findings on combinations of components found in referred threat models. Furthermore, to the best of our knowledge, threat scoring framework has not been investigated by any previous approaches. In fact, the computed threat score enables the quantification of the degree of threat severity which is an important benchmark for an organization to plan their countermeasure actions. Therefore, a scoring matrix framework for Threat Factor Profiling (TFP) model that includes identification and classification of threat is proposed. The purpose of this framework is to identify threats based on activity within an information system of an organization. The Threat Profile Report presents the collected data of threat based on the predetermined matrix.

     


  • Keywords


    Threat Factor Profiling; Threat Scoring Matrix; Information Security Threat.

  • References


      [1] Cambra, R. (2004), Metrics for operational security control GIAC Security Essentials Certification (GSEC) – Practical Assignment, pp. 1-15.

      [2] Casey T., Koeberl P. & Vishik C. (2011), Defining Threat Agents: Towards a More Complete Threat Analysis. In: Pohlmann N., Reimer H., Schneider W. (eds) ISSE 2010 Securing Electronic Business Processes. Vieweg+Teubner. DOI 10.1007/978-3-8348-9788-6_21

      [3] CVSS version 2.0 complete documentation. Available at https://www.first.org/cvss/v2/guide

      [4] CVSS version 3.0 complete documentation. Available at https://www.first.org/cvss/specification-document

      [5] Dutta A. & McCrohan K. (2002), Management role’s in information security in a cyber economy California Management Review, 45(1), pp. 67-87, DOI:10.2307/41166154

      [6] Fatimah Sidi, Marzanah A. Jabar, Lilly Suriani Affendey, Iskandar Ishak, Nurfadhlina Mohd Sharef, Maslina Zolkepli, Tan Ming Ming, Muhammad Faidhi Abd Mokhti, Maslina Daud, Naqliyah Zainuddin & Rafidah Abdul Hamid, (2017, 1a), A Comparative Analysis Study on Information Security Threat Models: A Propose for Threat Factor Profiling. Journal of Engineering and Applied Sciences, 12548-554. DOI: 10.3923/jeasci.2017.548.554

      [7] Fatimah Sidi, Maslina Daud, Sabariah Ahmad, Naqliyah Zainuddin, Syafiqa Anniesa Abdullah, Marzanah A. Jabar, Lilly Suriani Affendey, Iskandar Ishak, Nurfadhlina Mohd Sharef, Maslina Zolkepli, Fatin Nur Majdina Nordin, Hashimah Amat Sejani & Saiful Ramadzan Hairani, (2017, 1b), Towards an Enhancement of Organizational Information Security through Threat Factor Profiling (TFP) Model. Journal of Physics: Conference Series, 892 (2017) 012011. ISSN: 1742-6588, DOI: 10.1088/1742-6596/892/1/012011

      [8] Gallon, L & Bascou, J.J. (2011), CVSS attack graphs. Proceeding of the 2011 7th International Conference on Signal-Image Technology and Internet-Based Systems, November 28 – December 1, 2011, IEEE Mont-de-Marsan, France, ISBN: 978-1-4673-0431-3, pp: 24-31.

      [9] Hutchins, E. M., Cloppert, M. J. & Amin, R. M. (2011), Lockheed Martin Corporation Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and intrusion Kill Chains. Available at https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

      [10] Ibidapo AO, Zavarsky P, Lindskog D, & Ruhl R. (2011), An analysis of CVSS v2 environmental scoring 2011 IEEE International Conf. Privacy, Secur. Risk Trust IEEE Int. Conf. Soc. Comput. PASSAT/SocialCom 2011 – Proc pp.1125-1130

      [11] Irwin, S. (2014) “Creating a threat profile for your organization,” The SANS Institute, pp. 1-31, Available at https://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492

      [12] Lippmann, R.P., Riordan, J.F., Yu, T.H. & Watson, K.K. (2012), Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics. Project Report IA-3. Lincoln Laboratory, Massachusetts Institute of Technology. Available at https://www.ll.mit.edu/mission/cybersec/publications/publication-files/full_papers/2012_05_22_Lippmann_TechReport_FP.pdf

      [13] Mateski, M., Trevino, C.M., Veitch, C.K., Michalski, J., Harris, J.M., Maruoka, S. & Frye, J. (2012), Cyber Threat Metrics. SANDIA Report, SAND2012-2427. Sandia National Laboratories. Available at https://fas.org/irp/eprint/metrics.pdf

      [14] Meier, J.D., Mackman, A., Vasireddy, S., Dunner, M., Escamilla, R. & Murukan, A. (2003), Improving web application security: Threats and Countermeasures. Microsoft Corporation.

      [15] OWASP. (2014, 1a), Application Security Verification Standard 2014. Available at https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf

      [16] OWASP. (2014, 1b), OWASP Project. Available at https://www.owasp.org/index.php/Category:OWASP_Application_Security_Metrics_Project

      [17] OWASP. (2016), Types of application security metrics. Available at https://www.owasp.org/index.php/Types_of_application_security_metrics

      https://nvd.nist.gov/vuln/detail/CVE-2008-2439

      https://cve.circl.lu/cve/CVE-2008-2439

      https://www.whatismyip.com/

      https://www.cvedetails.com

      [18] Paparov, Y.V. (2010), Cybersecurity Metrics. NATO Science & Technology Organization. Available at https://www.sto.nato.int/publications/.../STO-EN-IST-143/EN-IST-143-03.pdf

      [19] Rao, K.R.M. & Pant, D. (2010), A threat risk modelling framework for Geospatial Weather Information System (GWIS): A DREAD based study. Int. J. Adv. Comput. Sci. Appl., 1:20-28.

      [20] Thompson, D.R., Di, J. & Daugherty, M.K. (2014), Teaching RFID Information Systems Security. IEEE Transactions on Education, 57(1):42-47.

      [21] Tripathi, A. & Singh, U.K. (2011), Analyzing trends in vulnerability classes across CVSS metrics. Int. J. Comput. Appl., 36:38-44.

      [22] Vibhandik R. & Bose A.K. (2015), Vulnerability assessment of web applications – A testing approach IEEE pp. 16-21. ISBN 978-1-4799-8451-1/15

      [23] Wang, H. & Wang A. (2007), Security Metrics for Software System. Available at https://pdfs.semanticscholar.org/0afb/5e64cfffa1e4f7e801337899a4005a8487ff.pdf


 

View

Download

Article ID: 25471
 
DOI: 10.14419/ijet.v8i1.4.25471




Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.