Title :
Security risk metrics: fusing enterprise objectives and vulnerabilities
Author :
Clark, K. ; Dawkins, J. ; Hale, J.
Abstract :
Automated scanners are unable to generate the information required to properly assess a network´s risk. Although scanners may identify high risk exposures, they fail to determine how those exposures affect an organization´s objectives. Such an assessment requires an auditor to identify the objectives and their relationship to network hosts. Mission trees allow security auditors to map relationships between an organization´s objectives and its assets. Synthesizing this data with a vulnerability scanner lends itself to creating meaningful enterprise security metrics.
Keywords :
business data processing; enterprise resource planning; risk management; security of data; automated scanners; enterprise objectives; enterprise security metrics; enterprise vulnerability; mission tree; network risk assessment; risk exposure; security risk metrics; vulnerability scanner; Costs; Data security; Information security; Information technology; NIST; Network synthesis; Risk analysis; Risk management; Testing;
Conference_Titel :
Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC
Print_ISBN :
0-7803-9290-6
DOI :
10.1109/IAW.2005.1495978
