A Review of Cyber Security Risk Assessment for Web System during Its Deployment and Operation

  • Manh Tuan Nguyen
  • Thi Huong Giang Vu Hanoi University of Science and Technology
Keywords: security risk assessment, DevOps, web system, bayesian network


This paper presents the state of the arts in security risk assessment of web systems. The process of assessing security risks and the process of developing and operating information systems in general, web systems in particular, are depicted step by step, showing how the risk assessment is performed during the deployment and the operation of web systems. Based on this analysis, different methods related to the manual and automatic risk assessment are reviewed, focusing on the methods using probability theory and Bayesian networks. The techniques developed for quantitative and qualitative assessment are presented and compared in terms of their objectives, scopes, and results to pick out advantages and limits. Finally, the approaches dedicated to assessing the risks of web systems are presented.


ISO, ISO/IEC 27005:2018 Information technology - Security techniques - Information security risk management. International Organization for Standardization, 2018.

J. T. F. T. Initiative, “Guide for conducting risk assessments,” NIST Special Publication, vol. 800-30r1, pp. 1–39, 2012.

ISO, ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements. International Organization for Standardization, 2013.

H. M. Haddad et al., “Asset assessment in web applications,” in 2010 Seventh International Conference on Information Technology: New Generations. IEEE, 2010, pp. 762–767.

E. Wheeler, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Elsevier, 2011.

M. Cova, V. Felmetsger, and G. Vigna, “Vulnerability analysis of web-based applications,” in Test and Analysis of Web Services. Springer, 2007, pp. 363–394.

I. Medeiros, N. Neves, and M. Correia, “Detecting and removing web application vulnerabilities with static analysis and data mining,” IEEE Transactions on Reliability, vol. 65, no. 1, pp. 54–69, 2015.

K. Tuma, G. Calikli, and R. Scandariato, “Threat analysis of software systems: A systematic literature review,” Journal of Systems and Software, vol. 144, pp. 275–294, Oct. 2018.

S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, “Threat modeling-uncover security design flaws using the stride approach,” MSDN Magazine, vol. 11, pp. 68–75, 2006.

J.-z. Guan, M.-t. Lei, X.-l. Zhu, and J.-y. Liu, “Knowledgebased information security risk assessment method,” The Journal of China Universities of Posts and Telecommunications, vol. 20, pp. 60–63, Dec. 2013.

M. U. Aksu, M. H. Dilek, E. I. Tatli, K. Bicakci, H. I. Dirik, M. U. Demirezen, and T. Aykir, “A quantitative CVSSbased cyber security risk assessment methodology for IT systems,” in 2017 International Carnahan Conference on Security Technology (ICCST). IEEE, oct 2017.

A. Behnia, “A Survey of Information Security Risk Analysis Methods,” The Smart Computing Review, Feb. 2012.

M. A. Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, “Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency,” Procedia Computer Science, vol. 161, pp. 1206– 1215, 2019.

S. Tweneboah-Koduah and W. J. Buchanan, “Security Risk Assessment of Critical Infrastructure Systems: A Comparative Study,” The Computer Journal, vol. 61, no. 9, pp. 1389– 1406, Sep. 2018.

C. Alberts, A. Dorofee, J. Stevens, and C. Woody, Introduction to the OCTAVE Approach. Carnegie-Mellon University, Software Engineering Institute, 2003.

J. Freund and J. Jones, Measuring and managing information risk: a FAIR approach. Butterworth-Heinemann, 2014.

ISACA, COBIT 2019 Framework: Governance and Management Objectives. ISACA, 2018.

D. Wichers and J. Williams, “OWASP top-10 2017,” OWASP Foundation, vol. 3, p. 4, 2017.

ISO, “ISO/IEC/IEEE International Standard - Systems and software engineering – System life cycle processes,” ISO/IEC/IEEE 15288 First edition 2015-05-15, pp. 1–118, 2015.

R. Ross, M. McEvilley, and J. Oren, “Systems Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems,” Gaithersburg: National Institute of Standards and Technology, vol. 800-160v1, pp. 1–242, 2016.

J. T. F. T. Initiative, “Risk Management Framework for Information Systems and Organizations,” NIST Special Publication, vol. 800-37r2, pp. 1–164, 2018.

K. Gene, H. Jez, D. Patrick, W. John, and F. Nicole, The DevOps Handbook: How to Create World-Class Agility, Reliability, & Security in Technology Organizations. IT Revolution Press, 2018.

M. Felderer and I. Schieferdecker, “A taxonomy of riskbased testing,” International Journal on Software Tools for Technology Transfer, vol. 16, no. 5, pp. 559–568, Oct. 2014.

J. Großmann, M. Felderer, J. Viehmann, and I. Schieferdecker, “A taxonomy to assess and tailor risk-based testing in recent testing standards,” IEEE Software, vol. 37, no. 1, pp. 40–49, 2019.

A. Masood and J. Java, “Static analysis for web service security-tools & techniques for a secure development life cycle,” in 2015 IEEE International Symposium on Technologies for Homeland Security (HST). IEEE, 2015, pp. 1–6.

B. Subedi, A. Alsadoon, P. Prasad, and A. Elchouemi, “Secure paradigm for web application development,” in 2016 15th RoEduNet Conference: Networking in Education and Research. IEEE, 2016, pp. 1–6.

J. Vehent, Securing DevOps: security in the cloud. Simon and Schuster, 2018.

H. I. Kure, S. Islam, and M. A. Razzaque, “An integrated cyber security risk management approach for a cyber-physical system,” Applied Sciences, vol. 8, no. 6, p. 898, 2018.

O. Kolisnichenko, M. Kolomytsev, and S. Nosok, “Softwaresecurity risk management in devops methodology,” Theoretical and Applied Cybersecurity, vol. 3, no. 1, 2021.

N. Wilde, B. Eddy, K. Patel, N. Cooper, V. Gamboa, B. Mishra, and K. Shah, “Security for devops deployment processes: Defenses risks research directions,” International Journal of Software Engineering & Applications, vol. 7, no. 6, pp. 01–16, 2016.

FIRST, Common Vulnerability Scoring System version 3.1. FIRST Org, Inc., 2019.

J. A. Kupsch and B. P. Miller, “Manual vs. automated vulnerability assessment: A case study,” in First International Workshop on Managing Insider Security Threats (MIST), 2009, pp. 83–97.

N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic Security Risk Management Using Bayesian Attack Graphs,” IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 61–74, Jan. 2012.

X. Wu, Y. Fu, and J. Wang, “Information systems security risk assessment on improved fuzzy AHP,” in 2009 ISECS International Colloquium on Computing, Communication, Control, and Management. Sanya, China: IEEE, Aug. 2009, pp. 365–369.

M. Khosravi-Farmad and A. Ghaemi-Bafghi, “Bayesian Decision Network-Based Security Risk Management Framework,” Journal of Network and Systems Management, vol. 28, no. 4, pp. 1794–1819, 2020.

A. P. Henriques de Gusmao, M. Mendonc¸a Silva, T. Poleto, ˜ L. Camara e Silva, and A. P. Cabral Seixas Costa, “Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory,” International Journal of Information Management, vol. 43, pp. 248–260, Dec. 2018.

C. Y. Alonge, O. T. Arogundade, K. Adesemowo, F. T. Ibrahalu, O. J. Adeniran, and A. M. Mustapha, “Information asset classification and labelling model using fuzzy approach for effective security risk assessment,” in 2020 International Conference in Mathematics, Computer Engineering and Computer Science (ICMCECS). IEEE, 2020, pp. 1–7.

I. Loloei, H. R. Shahriari, and A. Sadeghi, “A model for asset valuation in security risk analysis regarding assets’ dependencies,” in 20th Iranian Conference on Electrical Engineering (ICEE2012). IEEE, 2012, pp. 763–768.

S.-C. Cha, L.-T. Liu, and B.-C. Yu, “Process-oriented approach for validating asset value for evaluating information security risk,” in 2009 International Conference on Computational Science and Engineering, vol. 3. IEEE, 2009, pp. 379–385.

P. Kamongi, M. Gomathisankaran, and K. Kavi, “Nemesis: Automated architecture for threat modeling and risk assessment for cloud computing,” in Proc. 6th ASE International Conference on Privacy, Security, Risk and Trust (PASSAT), 2014.

Y.-j. Zhang, P. Liao, K.-z. Huang, and Y.-l. Liu, “An automatic approach for scoring vulnerabilities in risk assessment,” in 2nd International Conference on Electrical and Electronic Engineering (EEE 2019). Atlantis Press, 2019, pp. 256–261.

I. H. Elifoglu, I. Abel, and O. Tas¸seven, “Minimizing insider ¨ threat risk with behavioral monitoring,” Review of business, vol. 38, no. 2, pp. 61–73, 2018.

M. Rizwan, A. Shabbir, A. R. Javed, G. Srivastava, T. R. Gadekallu, M. Shabir, and M. A. Hassan, “Risk monitoring strategy for confidentiality of healthcare information,” Computers and Electrical Engineering, vol. 100, p. 107833, 2022.

F. Den Braber, I. Hogganvik, M. S. Lund, K. Stølen, and F. Vraalsen, “Model-based security analysis in seven

steps—a guided tour to the CORAS method,” BT Technology Journal, vol. 25, no. 1, pp. 101–117, 2007.

L. Rajbhandari and E. Snekkenes, “Using the conflicting incentives risk analysis method,” in IFIP International Information Security Conference. Springer, 2013, pp. 315–329.

D. Landoll, The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press, 2021.

M. U. Aksu, M. H. Dilek, E. ˙ I. Tatlı, K. Bicakci, H. I. Dirik, M. U. Demirezen, and T. Aykır, “A quantitative CVSSbased cyber security risk assessment methodology for IT systems,” in 2017 International Carnahan Conference on Security Technology (ICCST). IEEE, 2017, pp. 1–8.

M. Frigault, L. Wang, S. Jajodia, and A. Singhal, “Measuring the Overall Network Security by Combining CVSS

Scores Based on Attack Graphs and Bayesian Networks,” in Network Security Metrics. The Capital Region of Denmark: Springer Charm, 2017, pp. 1–23.

V. T. H. Giang and N. M. Tuan, “Application of Bayesian network in risk assessment for website deployment scenarios,” Journal of Science and Technology on Information security, vol. 2, no. 14, pp. 3–16, Jan. 2022.

J. Wang, K. Fan, W. Mo, and D. Xu, “A method for information security risk assessment based on the dynamic

bayesian network,” in 2016 International Conference on Networking and Network Applications (NaNA). Hakodate, Japan: IEEE, Jul. 2016, pp. 279–283.

H. Cervantes, R. Kazman, J. Ryoo, D. Choi, and D. Jang, “Architectural approaches to security: Four case studies,” Computer, vol. 49, no. 11, pp. 60–67, 2016.

L. Song and M. Garc´ıa-Valls, “Improving security of web servers in critical IoT systems through self-monitoring of vulnerabilities,” Sensors, vol. 22, no. 13, p. 5004, 2022.

C. E. Cirnu, C. I. Rotuna, A. V. Vevera, and R. Boncea, ˘ “Measures to mitigate cybersecurity risks and vulnerabilities in service-oriented architecture,” Stud. Inform. Control, vol. 27, no. 3, pp. 359–368, 2018.

K. Kubota, W. K. K. Oo, and H. Koide, “A new feature to secure web applications,” in 2020 Eighth International Symposium on Computing and Networking Workshops (CANDARW). IEEE, 2020, pp. 334–340.

C. Kalloniatis, H. Mouratidis, and S. Islam, “Evaluating cloud deployment scenarios based on security and privacy requirements,” Requirements Engineering, vol. 18, no. 4, pp. 299–319, 2013.

J. Kaur, A. I. Khan, Y. B. Abushark, M. M. Alam, S. A. Khan, A. Agrawal, R. Kumar, and R. A. Khan, “Security risk

assessment of healthcare web application through adaptive neuro-fuzzy inference system: A design perspective,” Risk Management and Healthcare Policy, vol. 13, p. 355, 2020.

M. Jouini and L. B. A. Rabai, “Comparative study of information security risk assessment models for cloud computing systems,” Procedia Computer Science, vol. 83, pp. 1084– 1089, 2016.

K.-S. Lin, “Online transaction security risk management for e-commerce web applications,” American Journal of Operations Management and Information Systems, vol. 2, no. 1, pp. 5–14, 2017.

F. Pub, “Standards for security categorization of federal information and information systems,” NIST FIPS, vol. 199, 2004.

N. Rjaibi, L. B. A. Rabai, A. B. Aissa, and M. Louadi, “Cyber security measurement in depth for e-learning systems,” International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE), vol. 2, no. 11, pp. 107–120, 2012.