Manuscript received December 13, 2023; revised January 12, 2024; accepted May 30, 2024; published October 21, 2024
Abstract— This research article focuses principally on a certain quantitative rather than qualitatively subjective and non-numerical cyber security risk assessment method, the Security Meter (SM) algorithm, to compute vital security indices in a national vulnerability database case study. The primary purpose will be followed up by a secondary, although critical, goal of managing an unfavorable risk percentage by optimally mitigating it to one selected acceptable level. This objective will be realized by an optimization method using the well-known Linear Programming (LP) technique via both SM and an alternate LP-feasible solution method, EXCEL (XL) Solver. Information and cyber security risks become essential to an organization’s or user’s daily operations in today’s IT-centric world. Vulnerabilities and threats can pose many challenges to the core security of any system, second only to the electric power grid that supplies the Internet. Without the vulnerability and associated threat-exposure management process, organizations remain blind and indifferent to those risks directly related to their IT infrastructure security. This advantage allows any organization or user (given they understand the security risks they face) to take well-advised decisions concerning remediating actions for managing the risks seriously with a cost-effective roadmap. Along with the rampant rise of the potential risks from unexpected cyber-attacks, damage due to uncountable breaches of cyber security is growing at an unprecedented rate and becoming a serious economic concern and peril to users, organizations, and nations. This research article proposes application-based quantitative analyses of commonly encountered security risks in a national vulnerability database, as initial steps toward the optimal security-centric technological investment-savvy evaluations and cost-effective decision-making processes to best manage and prioritize risk mitigation. The SM optimization results favorably compare with XL Solver solutions although SM’s cumulative percentage of countermeasure changes to achieve the mitigation target is demonstrated to be less than that of the XL Solver’s, and therefore, the more cost-optimal. As a major takeaway, the proposed quantitative algorithms are more competitive, practical, goal-oriented, functional, and cost-conscious than conventionally limited descriptive and categorical cyber security risk assessment and management options.
Keywords— quantitative, vulnerability, threat, countermeasure, Common Vulnerabilities and Exposures (CVE), Linear Programming (LP)-feasible, cost, Security Meter (SM), EXCEL (XL) solver, game theory, SysAdmin, Audit, Networking, and Security (SANS), National Institute of Standards and Technology (NIST), MITRE Corporation, Computer Emergency Readiness Team (CERT)
[PDF]
Cite: Mehmet Sahinoglu, "Cyber Security Risk Assessment and Optimal Risk Management of a National Vulnerability Database," International Journal of Computer Theory and Engineering, vol. 16, no. 4, pp. 104-126, 2024.
Copyright © 2024 by the authors. This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).
