Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements

This paper proposes a new approach for assessing the organization's vulnerability to information-security breaches. Although Much research has been done on qualitative approaches, the literature on numerical approaches to quantify information-security risk is scarce. This paper Suggests a method to quantify risk in terms of a numeric value or degree of cybersecurity. To help quantitatively measure the level of cybersecurity for a computer-based information system. we present two indices, the threat-impact index and the cyber-vulnerability index, based on vulnerability trees. By calculating and comparing the indices for various possible security enhancements, managers can select the best security enhancement choice, prioritize the choices by their relative effectiveness, and statistically justify spending resources on the selected choice. By qualifying information security quantitatively, the method can also help managers establish a specific target of security level that they can track. We illustrate the use of the proposed methodology on the security of supervisory control and data acquisition (SCADA) systems using data from the SCADA system test bed implemented at the University of Louisville as a case study, and then show the use of the proposed indices on this information system before and after two security enhancements. (C) 2008 Elsevier Ltd. All rights reserved.