Scoring Matrix Framework for Threat Factor Profiling Model
Keywords:Threat Factor Profiling, Threat Scoring Matrix, Information Security Threat.
One of the important requirements in preparing for an information security risk management system is to construct a threat profiling model that can be used to identify and classify threats. The threat profiling model provides an organization with a complete set of information including pattern of threat scenarios and analysis on the threat they encounter. However, an organization must set objectives and results of a threat profiling, as well as metrics in order to measure, appreciate and counter the potential threats. The main contribution of this paper is the framework of the threat scoring which extends our previous findings on combinations of components found in referred threat models. Furthermore, to the best of our knowledge, threat scoring framework has not been investigated by any previous approaches. In fact, the computed threat score enables the quantification of the degree of threat severity which is an important benchmark for an organization to plan their countermeasure actions. Therefore, a scoring matrix framework for Threat Factor Profiling (TFP) model that includes identification and classification of threat is proposed. The purpose of this framework is to identify threats based on activity within an information system of an organization. The Threat Profile Report presents the collected data of threat based on the predetermined matrix.
 Cambra, R. (2004), Metrics for operational security control GIAC Security Essentials Certification (GSEC) â€“ Practical Assignment, pp. 1-15.
 Casey T., Koeberl P. & Vishik C. (2011), Defining Threat Agents: Towards a More Complete Threat Analysis. In: Pohlmann N., Reimer H., Schneider W. (eds) ISSE 2010 Securing Electronic Business Processes. Vieweg+Teubner. DOI 10.1007/978-3-8348-9788-6_21
 CVSS version 2.0 complete documentation. Available at https://www.first.org/cvss/v2/guide
 CVSS version 3.0 complete documentation. Available at https://www.first.org/cvss/specification-document
 Dutta A. & McCrohan K. (2002), Management roleâ€™s in information security in a cyber economy California Management Review, 45(1), pp. 67-87, DOI:10.2307/41166154
 Fatimah Sidi, Marzanah A. Jabar, Lilly Suriani Affendey, Iskandar Ishak, Nurfadhlina Mohd Sharef, Maslina Zolkepli, Tan Ming Ming, Muhammad Faidhi Abd Mokhti, Maslina Daud, Naqliyah Zainuddin & Rafidah Abdul Hamid, (2017, 1a), A Comparative Analysis Study on Information Security Threat Models: A Propose for Threat Factor Profiling. Journal of Engineering and Applied Sciences, 12548-554. DOI: 10.3923/jeasci.2017.548.554
 Fatimah Sidi, Maslina Daud, Sabariah Ahmad, Naqliyah Zainuddin, Syafiqa Anniesa Abdullah, Marzanah A. Jabar, Lilly Suriani Affendey, Iskandar Ishak, Nurfadhlina Mohd Sharef, Maslina Zolkepli, Fatin Nur Majdina Nordin, Hashimah Amat Sejani & Saiful Ramadzan Hairani, (2017, 1b), Towards an Enhancement of Organizational Information Security through Threat Factor Profiling (TFP) Model. Journal of Physics: Conference Series, 892 (2017) 012011. ISSN: 1742-6588, DOI: 10.1088/1742-6596/892/1/012011
 Gallon, L & Bascou, J.J. (2011), CVSS attack graphs. Proceeding of the 2011 7th International Conference on Signal-Image Technology and Internet-Based Systems, November 28 â€“ December 1, 2011, IEEE Mont-de-Marsan, France, ISBN: 978-1-4673-0431-3, pp: 24-31.
 Hutchins, E. M., Cloppert, M. J. & Amin, R. M. (2011), Lockheed Martin Corporation Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and intrusion Kill Chains. Available at https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
 Ibidapo AO, Zavarsky P, Lindskog D, & Ruhl R. (2011), An analysis of CVSS v2 environmental scoring 2011 IEEE International Conf. Privacy, Secur. Risk Trust IEEE Int. Conf. Soc. Comput. PASSAT/SocialCom 2011 â€“ Proc pp.1125-1130
 Irwin, S. (2014) â€œCreating a threat profile for your organization,â€ The SANS Institute, pp. 1-31, Available at https://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492
 Lippmann, R.P., Riordan, J.F., Yu, T.H. & Watson, K.K. (2012), Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics. Project Report IA-3. Lincoln Laboratory, Massachusetts Institute of Technology. Available at https://www.ll.mit.edu/mission/cybersec/publications/publication-files/full_papers/2012_05_22_Lippmann_TechReport_FP.pdf
 Mateski, M., Trevino, C.M., Veitch, C.K., Michalski, J., Harris, J.M., Maruoka, S. & Frye, J. (2012), Cyber Threat Metrics. SANDIA Report, SAND2012-2427. Sandia National Laboratories. Available at https://fas.org/irp/eprint/metrics.pdf
 Meier, J.D., Mackman, A., Vasireddy, S., Dunner, M., Escamilla, R. & Murukan, A. (2003), Improving web application security: Threats and Countermeasures. Microsoft Corporation.
 OWASP. (2014, 1a), Application Security Verification Standard 2014. Available at https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf
 OWASP. (2014, 1b), OWASP Project. Available at https://www.owasp.org/index.php/Category:OWASP_Application_Security_Metrics_Project
 OWASP. (2016), Types of application security metrics. Available at https://www.owasp.org/index.php/Types_of_application_security_metrics
 Paparov, Y.V. (2010), Cybersecurity Metrics. NATO Science & Technology Organization. Available at https://www.sto.nato.int/publications/.../STO-EN-IST-143/EN-IST-143-03.pdf
 Rao, K.R.M. & Pant, D. (2010), A threat risk modelling framework for Geospatial Weather Information System (GWIS): A DREAD based study. Int. J. Adv. Comput. Sci. Appl., 1:20-28.
 Thompson, D.R., Di, J. & Daugherty, M.K. (2014), Teaching RFID Information Systems Security. IEEE Transactions on Education, 57(1):42-47.
 Tripathi, A. & Singh, U.K. (2011), Analyzing trends in vulnerability classes across CVSS metrics. Int. J. Comput. Appl., 36:38-44.
 Vibhandik R. & Bose A.K. (2015), Vulnerability assessment of web applications â€“ A testing approach IEEE pp. 16-21. ISBN 978-1-4799-8451-1/15
 Wang, H. & Wang A. (2007), Security Metrics for Software System. Available at https://pdfs.semanticscholar.org/0afb/5e64cfffa1e4f7e801337899a4005a8487ff.pdf
View Full Article:
How to Cite
LicenseAuthors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under aÂ Creative Commons Attribution Licensethat allows others to share the work with an acknowledgement of the work''s authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal''s published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (SeeÂ The Effect of Open Access).