Quantifying security risk by measuring network risk conditions

Software vulnerabilities are the weaknesses in the software that inadvertently allow dangerous operations. If the vulnerability is in a network service, it poses serious security threats because a cyber-attacker can exploit it to gain unauthorized access to the system. Hence, rapid discovery and remediation of network vulnerabilities is critical issues in network security. In today´s dynamic IT environment, it is common practice that an organization prioritizes the mitigation of discovered vulnerabilities according to their risk levels. Currently available technologies, however, associate each vulnerability to the static risk level which does not take the unique characteristics of the target network into account. This often leads to inaccurate risk prioritization and less-than-optimal resource allocation. In this research, we introduce a novel way of quantifying the risk of network vulnerability by augmenting the static risk level with conditions specific to the target network. The method calculates the risk value of each vulnerability by measuring the proximity to the untrusted network and risk of the neighboring hosts. The resulting risk value, RCR is a composite index of the individual risk, network location and neighborhood risk conditions. Thus, it can be effectively used for prioritization, comparison and trending. We tested the methodology through the network intrusion simulation. The results shows average 88.9% the correlation between RCR and number of successful attacks on each vulnerability.