A risk index model for security incident prioritisation
Document Type
Conference Proceeding
Publisher
School of Computer & Security Science, Edith Cowan University
Faculty
Faculty of Computing, Health and Science
School
School of Computer and Security Science / Security Research Centre (secAU)
RAS ID
12837
Abstract
With thousands of incidents identified by security appliances every day, the process of distinguishing which incidents are important and which are trivial is complicated. This paper proposes an incident prioritisation model, the Risk Index Model (RIM), which is based on risk assessment and the Analytic Hierarchy Process (AHP). The model uses indicators, such as criticality, maintainability, replaceability, and dependability as decision factors to calculate incidents’ risk index. The RIM was validated using the MIT DARPA LLDOS 1.0 dataset, and the results were compared against the combined priorities of the Common Vulnerability Scoring System (CVSS) v2 and Snort Priority. The experimental results have shown that 100% of incidents could be rated with RIM, compared to only 17.23% with CVSS. In addition, this study also improves the limitation of group priority in the Snort Priority (e.g. high, medium and low priority) by quantitatively ranking, sorting and listing incidents according to their risk index. The proposed study has also investigated the effect of applying weighted indicators at the calculation of the risk index, as well as the effect of calculating them dynamically. The experiments have shown significant changes in the resultant risk index as well as some of the top priority rankings.
DOI
10.4225/75/57b52a66cd8b5
Access Rights
free_to_read
Comments
Anuar, N., Furnell, S. , Papadakil, M., & Clarke, N. (2011). A risk index model for security incident prioritisation . Paper presented at the 9th Australian Information Security management Conference. Perth, WA. Available here