CFP last date
20 January 2025
Reseach Article

A Formal Attack Centric Framework Highlighting Expected Losses of an Information Security Breach

by Harsh Srivastava, Kamlesh Dwivedi, Prabhat Kumar Pankaj, Vijaishri Tewari
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 68 - Number 17
Year of Publication: 2013
Authors: Harsh Srivastava, Kamlesh Dwivedi, Prabhat Kumar Pankaj, Vijaishri Tewari
10.5120/11672-7280

Harsh Srivastava, Kamlesh Dwivedi, Prabhat Kumar Pankaj, Vijaishri Tewari . A Formal Attack Centric Framework Highlighting Expected Losses of an Information Security Breach. International Journal of Computer Applications. 68, 17 ( April 2013), 26-31. DOI=10.5120/11672-7280

@article{ 10.5120/11672-7280,
author = { Harsh Srivastava, Kamlesh Dwivedi, Prabhat Kumar Pankaj, Vijaishri Tewari },
title = { A Formal Attack Centric Framework Highlighting Expected Losses of an Information Security Breach },
journal = { International Journal of Computer Applications },
issue_date = { April 2013 },
volume = { 68 },
number = { 17 },
month = { April },
year = { 2013 },
issn = { 0975-8887 },
pages = { 26-31 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume68/number17/11672-7280/ },
doi = { 10.5120/11672-7280 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T21:28:30.399902+05:30
%A Harsh Srivastava
%A Kamlesh Dwivedi
%A Prabhat Kumar Pankaj
%A Vijaishri Tewari
%T A Formal Attack Centric Framework Highlighting Expected Losses of an Information Security Breach
%J International Journal of Computer Applications
%@ 0975-8887
%V 68
%N 17
%P 26-31
%D 2013
%I Foundation of Computer Science (FCS), NY, USA
Abstract

From the beginning of the different approaches for analyzing and assessing the information related risk affecting organization, the two factors deriving risk are the damages or losses incurred to the organization and the probability of occurring of those risk incidents. Many qualitative and quantitative models have been proposed to estimate the above two factors considering the asset centric and software centric approaches. This paper proposes an attack centric framework that considers approaches of an attacker and different characteristics of attack in computing the overall impact of attack which can then be used to effectively calculate the overall loss incurred to the organization in the event of successful attack. This framework cognate with the existing ones and steps forward with a new mathematical approach to estimate the cost of any type of loss incurred to the organization due to the information security breach. Also the framework considers the cost of implementing security as loss in the event of security measure failed in providing appropriate protection against the threats.

References
  1. FAIR-Factor Analysis of Information Risk, A Framework For understanding, Analyzing and Measuring risk, Retrieved from www. isaca-cincinnati. org/Resources/Presentations/FAIR. pdf
  2. OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation, Retrieved June 3, 2005 from http://www. cert. org/octave/approach_intro. pdf,
  3. Chinchani R. , Iyer A. , Ngo H. , upadhyaya S. ,"A Target centric formal Model For insider Threat and More", Pages 5-7, Retrieved from http://www. cse. buffalo. edu/tech-reports/2004-16. pdf
  4. Ngoma S. ,(March 04,2012), "Vulnerability of IT Infrastructures: Internal and External Threats", Retrieved from www. congovision. com/IT-Security-Pub. pdf
  5. Information Asset register-The National Archives, Retrieved at http://www. nationalarchives. gov. uk/documents/information-management/info-asset-register-factsheet. pdf
  6. Howard M. , Pincus J. , Wing J. M. , (January 1,2003),"Measuring relative attack surfaces" , Retrieved from www. cs. cmu. edu/~wing/publications/Howard-Wing03. pdf
  7. Lunt T. F. , Tamaru A. , Gilham F. , Jagannathan R. , Jalali C. , Neumann P. G. ,(February 28,1992),"A REAL-TIME
  8. INTRUSION-DETECTION EXPERT SYSTEM (IDES)", Retrieved from www. csrdc. us/papers/9sri/9sri. pdf
  9. Ortalo R. ," Quantitative Evaluation of Information System Security Experimented in a Bank Organization", Pages 2-4, retrieved from http://homepages. laas. fr/deswarte/Publications/99587. pdf
  10. Lindholm L. , FISSEA-2006 conference, "What is Security Awareness", Retrieved from http://csrs. nist. gov/organizations/fissea/2006-conference/Lindholm-FISSEA2006. pdf
  11. Anderson K. , ISSA Journal(January 2013), "Can We Make Security Awareness Training Stickier?", Retrieved from www. issa. org/resource/resmgr/journalpdfs/feature0113. pdf
  12. Munteanu A. ," Information Security Risk Assessment:
  13. The Qualitative Versus Quantitative Dilemma", Retrieved from http://papers. ssrn. com/sol3/Delivery. cfm/SSRN_ID917767_code634051. pdf
Index Terms

Computer Science
Information Sciences

Keywords

Attack centric framework Expected losses Attack strength Security strength Impact of attack