Quantitative risk assessment model for software security in the design phase of software development
作者: David A. Umphress , Idongesit Mkpong-Ruffin , John A. Hamilton
DOI:
关键词:
摘要: Risk analysis is a process for considering possible risks and determining which are the most significant any particular effort. Determining to address optimum strategy mitigating said often an intuitive qualitative process. An objective view of inherent in development effort requires quantitative risk model. Quantitative models used factors focus on tend use traditional approach annualized loss expectancy (ALE) based frequency occurrence exposure factor (EF) percentage asset due potential threat question. This research uses empirical data that reflects security posture each vulnerability calculate Loss Expectancy, impact estimator. Data from open source databases results predicted as input Security take into account innate characteristics incorporated calculation The result this model assessment threats ranking these metric calculation.
参考文章(30)
Guttorm Sindre, Andreas L. Opdahl, Templates for Misuse Case Description ,(2001)
Christopher Steel, Ramesh Nagappan, Ray Lai, Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management ,(2005)
John Viega, Gary McGraw, Building Secure Software: How to Avoid Security Problems the Right Way ,(2001)
Gerald M. Weinberg, Edward L. Schulman, Goals and Performance in Computer Programming Human Factors. ,vol. 16, pp. 70- 77 ,(1974) , 10.1177/001872087401600108
Usama M. Fayyad, Cory A. Reina, Paul S. Bradley, Scaling EM (Expectation Maximization) Clustering to Large Databases pp. 25- ,(1998)
K. Tsipenyuk, B. Chess, G. McGraw, Seven pernicious kingdoms: a taxonomy of software security errors ieee symposium on security and privacy. ,vol. 3, pp. 81- 84 ,(2005) , 10.1109/MSP.2005.159
Barry Boehm, None, Software Risk Management ,(1989)
A.K. Jain, Jianchang Mao, K.M. Mohiuddin, Artificial neural networks: a tutorial computational science and engineering. ,vol. 29, pp. 31- 44 ,(1996) , 10.1109/2.485891
B. Cheswick, P. Kocher, G. McGraw, A. Rubin, Bacon ice cream: The best mix of proactive and reactive security? ieee symposium on security and privacy. ,vol. 1, pp. 53- 57 ,(2003) , 10.1109/MSECP.2003.1219070
Jeffrey M. Voas, Gary McGraw, Software fault injection: inoculating programs against errors John Wiley & Sons, Inc.. ,(1997)