A knowledge framework for dynamic vulnerability assessment in information risk management

Abstract

Managing risk is an important aspect of managing information security in an organization. The process of risk management includes identifying, controlling and minimizing the impact of adverse events. Risk assessment, as a fundamental part of risk management cycle, is a study of the vulnerabilities, threats, their relationship and likelihood to happen, effectiveness of security measures, and loss or impact to an organization when such an event happens. Risk assessment thus, provides a basis for establishing policies and selecting related controls. Vulnerability assessment, as a critical step in risk assessment, is a process of examining the weaknesses of the complex risk environment of an organization. However, the exercise of vulnerability assessment requires extensive expert knowledge in information security management and risk analysis. The success of a vulnerability assessment exercise also relies on the availability of up-to-date security related data, which is often a bottleneck of any risk analysis exercise. In this research, we propose a knowledge framework that aims to facilitate dynamic vulnerability assessment via utilizing available knowledge of information risk assessment. The proposed knowledge framework consists of ontology-based information security knowledge for the vulnerability assessment, a data integration mechanism and a vulnerability assessment tool. Security knowledge in the ontology is to be utilized to analyze the risk data requirement for a particular vulnerability assessment activity. After risk data requirement is extracted from the ontology for a given list of identified threat, schema matching between risk data requirement and data sources is performed via a pre-defined mapping table. This data is then imported into a central database and will be used as evidence for reasoning the existence of a threat. The existence of a threat is determined via a Threat-Vulnerability-Entity (TVE) chain by checking the existence of vulnerabilities related to the threat acting on an entity. The resulting TVE chains will be presented as a threat model graphically. Dynamic Vulnerability Assessment Workbench (DVAW), a prototype applying concepts of the knowledge framework, was developed. A case study, using our departmental laboratory as an example, was presented to show how the knowledge framework is utilized.

Date of Award	2 Oct 2007
Original language	English
Awarding Institution	City University of Hong Kong
Supervisor	Lam For KWOK (Supervisor)