A review of cyber security risk assessment for web systems during its deployment and operation
Keywords:
security risk assessment, DevOps, web system, Bayesian network
Abstract
This paper presents the state of the arts in security risk assessment of web systems.
The process of assessing security risks and the process of developing and operating information systems in general, web systems in particular, are depicted step by step, showing how the risk assessment is performed during the deployment and the operation of web systems.
Based on this analysis, different methods related to the manual and automatic risk assessment are reviewed, focusing on the methods using probability theory and Bayesian networks.
The techniques developed for quantitative and qualitative assessment are presented and compared in terms of their objectives, scopes, and results to pick out advantages and limits.
Finally, the approaches dedicated to assessing the risks of web systems are presented.
References
[1] “ISO 27005:2018 Information technology — Security techniques - Information security risk management,” standard, International Organization for Standardization, Geneva, CH, 2018.
[2] Joint Task Force Transformation Initiative, “Guide for conducting risk assessments,” Tech. Rep. NIST SP 800-30r1, National Institute of Standards and Technology, Gaithersburg, MD, 2012.
[3] E. Wheeler, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Elsevier, 2011.
[4] K. Tuma, G. Calikli, and R. Scandariato, “Threat analysis of software systems: A systematic literature review,” Journal of Systems and Software, vol. 144, pp. 275–294, Oct. 2018.
[5] S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, “Uncover security design flaws using the STRIDE approach,” tech. rep., Microsoft, Nov. 2006.
[6] J.-z. Guan, M.-t. Lei, X.-l. Zhu, and J.-y. Liu, “Knowledge-based information security risk assessment method,” The Journal of China Universities of Posts and Telecommunications, vol. 20, pp. 60–63, Dec. 2013.
[7] M. U. Aksu, M. H. Dilek, E. I. Tatli, K. Bicakci, H. I. Dirik, M. U. Demirezen, and T. Aykir, “A quantitative CVSS-based cyber security risk assessment methodology for IT systems,” in 2017 International Carnahan Conference on Security Technology (ICCST), IEEE, Oct. 2017.
[8] A. Behnia, “A Survey of Information Security Risk Analysis Methods,” The Smart Computing Review, Feb. 2012.
[9] C. Alberts, A. Dorofee, J. Stevens, and C. Woody, “Introduction to the octave approach,” tech. rep., Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst, 2003.
[10] J. Freund and J. Jones, Measuring and managing information risk: a FAIR approach. ButterworthHeinemann, 2014.
[11] M. A. Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, “Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in ProfitBased Organization: Case Study of ZZZ Information System Application in ABC Agency,” Procedia Computer Science, vol. 161, pp. 1206–1215, 2019.
[12] S. Tweneboah-Koduah and W. J. Buchanan, “Security Risk Assessment of Critical Infrastructure Systems: A Comparative Study,” The Computer Journal, vol. 61, pp. 1389–1406, Sept. 2018.
[13] “Iso/iec/ieee international standard - systems and software engineering – system life cycle processes,” ISO/IEC/IEEE 15288 First edition 2015-05-15, pp. 1–118, 2015.
[14] R. Ron, M. Michael, and C. O. Janet, “Systems security engineering - considerations for a multidisciplinary approach in the engineering of trustworthy secure systems,” Tech. Rep. NIST Special Publication 800-160 VOLUME 1 November, 2016, U.S. Department of Commerce, Washington, D.C., 2016.
[15] N. I. of Standards and Technology, “Risk management framework for information systems and organizations a system life cycle approach for security and privacy,” Tech. Rep. NIST Special Publication 800-37 Revision 2 December, 2018, U.S. Department of Commerce, Washington, D.C., 2018.
[16] K. Gene, H. Jez, D. Patrick, W. John, and F. Nicole, The DevOps Handbook: How to Create WorldClass Agility, Reliability, & Security in Technology Organizations. Portland, OR: IT Revolution Press, 2st ed ed., 2018.
[17] M. Felderer and I. Schieferdecker, “A taxonomy of risk-based testing,” 2014.
[18] J. Großmann, M. Felderer, J. Viehmann, and I. Schieferdecker, “A taxonomy to assess and tailor risk-based testing in recent testing standards,” IEEE Software, vol. 37, no. 1, pp. 40–49, 2019.
[19] J. Vehent, Securing DevOps: security in the cloud. Simon and Schuster, 2018.
[20] H. I. Kure, S. Islam, and M. A. Razzaque, “An integrated cyber security risk management approach for a cyber-physical system,” Applied Sciences, vol. 8, no. 6, p. 898, 2018.
[21] O. Kolisnichenko, M. Kolomytsev, and S. Nosok, “Software security risk management in devops methodology,” Theoretical and Applied Cybersecurity, vol. 3, no. 1, 2021.
[22] N. Wilde, B. Eddy, K. Patel, N. Cooper, V. Gamboa, B. Mishra, and K. Shah, “Security for devops deployment processes: Defenses risks research directions,” International Journal of Software Engineering & Applications, vol. 7, no. 6, pp. 01–16, 2016.
[23] C. S. I. Group, “Common vulnerability scoring system version 3.1,” Tech. Rep. Specification Document Revision 1 June 2019, FIRST Org, Inc., North Carolina, USA, 2019.
[24] J. A. Kupsch and B. P. Miller, “Manual vs. automated vulnerability assessment: A case study,” in First International Workshop on Managing Insider Security Threats (MIST), pp. 83–97, 2009.
[25] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic Security Risk Management Using Bayesian Attack Graphs,” IEEE Transactions on Dependable and Secure Computing, vol. 9, pp. 61–74, Jan. 2012.
[26] X. Wu, Y. Fu, and J. Wang, “Information systems security risk assessment on improved fuzzy AHP,” in 2009 ISECS International Colloquium on Computing, Communication, Control, and Management, (Sanya, China), pp. 365–369, IEEE, Aug. 2009.
[27] M. Khosravi-Farmad and A. Ghaemi-Bafghi, “Bayesian Decision Network-Based Security Risk Management Framework,” Journal of Network and Systems Management, vol. 28, pp. 1794–1819, Aug. 2020. Publisher: Springer Science and Business Media LLC.
[28] A. P. Henriques de Gusmao, M. Mendonc¸a Silva, ˜T. Poleto, L. Camara e Silva, and A. P. Cabral Seixas Costa, “Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory,” International Journal of Information Management, vol. 43, pp. 248–260, Dec. 2018.
[29] C. Y. Alonge, O. T. Arogundade, K. Adesemowo, F. T. Ibrahalu, O. J. Adeniran, and A. M. Mustapha, “Information asset classification and labelling model using fuzzy approach for effective security risk assessment,” in 2020 International Conference in Mathematics, Computer Engineering and Computer Science (ICMCECS), pp. 1–7, IEEE, 2020.
[30] I. Loloei, H. R. Shahriari, and A. Sadeghi, “A model for asset valuation in security risk analysis regarding assets’ dependencies,” in 20th Iranian Conference on Electrical Engineering (ICEE2012), pp. 763–768, IEEE, 2012.
[31] S.-C. Cha, L.-T. Liu, and B.-C. Yu, “Processoriented approach for validating asset value for evaluating information security risk,” in 2009 International Conference on Computational Science and Engineering, vol. 3, pp. 379–385, IEEE, 2009.
[32] P. Kamongi, M. Gomathisankaran, and K. Kavi, “Nemesis: Automated architecture for threat modeling and risk assessment for cloud computing,” in Proc. 6th ASE International Conference on Privacy, Security, Risk and Trust (PASSAT), 2014.
[33] Y.-j. Zhang, P. Liao, K.-z. Huang, and Y.-l. Liu, “An automatic approach for scoring vulnerabilities in risk assessment,” in 2nd International Conference on Electrical and Electronic Engineering (EEE 2019), pp. 256–261, Atlantis Press, 2019.
[34] I. H. Elifoglu, I. Abel, and O. Tas¸seven, “Minimizing insider threat risk with behavioral monitoring,” Review of business, vol. 38, no. 2, pp. 61–73, 2018.
[35] M. Rizwan, A. Shabbir, A. R. Javed, G. Srivastava, T. R. Gadekallu, M. Shabir, and M. A. Hassan, “Risk monitoring strategy for confidentiality of healthcare information,” Computers and Electrical Engineering, vol. 100, p. 107833, 2022.
[36] F. Den Braber, I. Hogganvik, M. S. Lund, K. Stølen, and F. Vraalsen, “Model-based security analysis in seven steps—a guided tour to the coras method,” BT Technology Journal, vol. 25, no. 1, pp. 101–117, 2007.
[37] L. Rajbhandari and E. Snekkenes, “Using the conflicting incentives risk analysis method,” in IFIP International Information Security Conference, pp. 315–329, Springer, 2013.
[38] D. Landoll, The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press, 2021.
[39] M. U. Aksu, M. H. Dilek, E. ˙ I. Tatlı, K. Bicakci, H. I. Dirik, M. U. Demirezen, and T. Aykır, “A quantitative cvss-based cyber security risk assessment methodology for it systems,” in 2017 International Carnahan Conference on Security Technology (ICCST), pp. 1–8, IEEE, 2017.
[40] M. Frigault, L. Wang, S. Jajodia, and A. Singhal, “Measuring the Overall Network Security by Combining CVSS Scores Based on Attack Graphs and Bayesian Networks,” in Network Security Metrics, pp. 1–23, The Capital Region of Denmark: Springer Charm, 2017.
[41] V. T. H. Giang and N. M. Tuan, “Application of Bayesian network in risk assessment for website deployment scenarios,” Journal of Science and Technology on Information security, vol. 2, pp. 3–16, Jan. 2022.
[42] J. Wang, K. Fan, W. Mo, and D. Xu, “A method for information security risk assessment based on the dynamic bayesian network,” in 2016 International Conference on Networking and Network Applications (NaNA), (Hakodate, Japan), pp. 279–283, IEEE, July 2016.
[43] H. Cervantes, R. Kazman, J. Ryoo, D. Choi, and D. Jang, “Architectural approaches to security: Four case studies,” Computer, vol. 49, no. 11, pp. 60–67, 2016.
[44] L. Song and M. Garc´ıa-Valls, “Improving security of web servers in critical iot systems through selfmonitoring of vulnerabilities,” Sensors, vol. 22, no. 13, p. 5004, 2022.
[45] C. E. Cirnu, C. I. Rotuna, A. V. Vevera, and R. Boncea, “Measures to mitigate cybersecurity risks and vulnerabilities in service-oriented architecture,” Stud. Inform. Control, vol. 27, no. 3, pp. 359–368, 2018.
[46] C. Kalloniatis, H. Mouratidis, and S. Islam, “Evaluating cloud deployment scenarios based on security and privacy requirements,” Requirements Engineering, vol. 18, no. 4, pp. 299–319, 2013.
[47] J. Kaur, A. I. Khan, Y. B. Abushark, M. M. Alam, S. A. Khan, A. Agrawal, R. Kumar, and R. A. Khan, “Security risk assessment of healthcare web application through adaptive neuro-fuzzy inference system: A design perspective,” Risk Management and Healthcare Policy, vol. 13, p. 355, 2020.
[48] M. Jouini and L. B. A. Rabai, “Comparative study of information security risk assessment models for cloud computing systems,” Procedia Computer Science, vol. 83, pp. 1084–1089, 2016.
[49] D. C. Amuthadevi, S. Srivastava, R. Khatoria, and V. Sangwan, “A study on web application vulnerabilities to find an optimal security architecture,” arXiv preprint arXiv:2204.07107, 2022.
[50] D. Wichers and J. Williams, “Owasp top-10 2017,” OWASP Foundation, vol. 3, p. 4, 2017.
[2] Joint Task Force Transformation Initiative, “Guide for conducting risk assessments,” Tech. Rep. NIST SP 800-30r1, National Institute of Standards and Technology, Gaithersburg, MD, 2012.
[3] E. Wheeler, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Elsevier, 2011.
[4] K. Tuma, G. Calikli, and R. Scandariato, “Threat analysis of software systems: A systematic literature review,” Journal of Systems and Software, vol. 144, pp. 275–294, Oct. 2018.
[5] S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, “Uncover security design flaws using the STRIDE approach,” tech. rep., Microsoft, Nov. 2006.
[6] J.-z. Guan, M.-t. Lei, X.-l. Zhu, and J.-y. Liu, “Knowledge-based information security risk assessment method,” The Journal of China Universities of Posts and Telecommunications, vol. 20, pp. 60–63, Dec. 2013.
[7] M. U. Aksu, M. H. Dilek, E. I. Tatli, K. Bicakci, H. I. Dirik, M. U. Demirezen, and T. Aykir, “A quantitative CVSS-based cyber security risk assessment methodology for IT systems,” in 2017 International Carnahan Conference on Security Technology (ICCST), IEEE, Oct. 2017.
[8] A. Behnia, “A Survey of Information Security Risk Analysis Methods,” The Smart Computing Review, Feb. 2012.
[9] C. Alberts, A. Dorofee, J. Stevens, and C. Woody, “Introduction to the octave approach,” tech. rep., Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst, 2003.
[10] J. Freund and J. Jones, Measuring and managing information risk: a FAIR approach. ButterworthHeinemann, 2014.
[11] M. A. Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, “Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in ProfitBased Organization: Case Study of ZZZ Information System Application in ABC Agency,” Procedia Computer Science, vol. 161, pp. 1206–1215, 2019.
[12] S. Tweneboah-Koduah and W. J. Buchanan, “Security Risk Assessment of Critical Infrastructure Systems: A Comparative Study,” The Computer Journal, vol. 61, pp. 1389–1406, Sept. 2018.
[13] “Iso/iec/ieee international standard - systems and software engineering – system life cycle processes,” ISO/IEC/IEEE 15288 First edition 2015-05-15, pp. 1–118, 2015.
[14] R. Ron, M. Michael, and C. O. Janet, “Systems security engineering - considerations for a multidisciplinary approach in the engineering of trustworthy secure systems,” Tech. Rep. NIST Special Publication 800-160 VOLUME 1 November, 2016, U.S. Department of Commerce, Washington, D.C., 2016.
[15] N. I. of Standards and Technology, “Risk management framework for information systems and organizations a system life cycle approach for security and privacy,” Tech. Rep. NIST Special Publication 800-37 Revision 2 December, 2018, U.S. Department of Commerce, Washington, D.C., 2018.
[16] K. Gene, H. Jez, D. Patrick, W. John, and F. Nicole, The DevOps Handbook: How to Create WorldClass Agility, Reliability, & Security in Technology Organizations. Portland, OR: IT Revolution Press, 2st ed ed., 2018.
[17] M. Felderer and I. Schieferdecker, “A taxonomy of risk-based testing,” 2014.
[18] J. Großmann, M. Felderer, J. Viehmann, and I. Schieferdecker, “A taxonomy to assess and tailor risk-based testing in recent testing standards,” IEEE Software, vol. 37, no. 1, pp. 40–49, 2019.
[19] J. Vehent, Securing DevOps: security in the cloud. Simon and Schuster, 2018.
[20] H. I. Kure, S. Islam, and M. A. Razzaque, “An integrated cyber security risk management approach for a cyber-physical system,” Applied Sciences, vol. 8, no. 6, p. 898, 2018.
[21] O. Kolisnichenko, M. Kolomytsev, and S. Nosok, “Software security risk management in devops methodology,” Theoretical and Applied Cybersecurity, vol. 3, no. 1, 2021.
[22] N. Wilde, B. Eddy, K. Patel, N. Cooper, V. Gamboa, B. Mishra, and K. Shah, “Security for devops deployment processes: Defenses risks research directions,” International Journal of Software Engineering & Applications, vol. 7, no. 6, pp. 01–16, 2016.
[23] C. S. I. Group, “Common vulnerability scoring system version 3.1,” Tech. Rep. Specification Document Revision 1 June 2019, FIRST Org, Inc., North Carolina, USA, 2019.
[24] J. A. Kupsch and B. P. Miller, “Manual vs. automated vulnerability assessment: A case study,” in First International Workshop on Managing Insider Security Threats (MIST), pp. 83–97, 2009.
[25] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic Security Risk Management Using Bayesian Attack Graphs,” IEEE Transactions on Dependable and Secure Computing, vol. 9, pp. 61–74, Jan. 2012.
[26] X. Wu, Y. Fu, and J. Wang, “Information systems security risk assessment on improved fuzzy AHP,” in 2009 ISECS International Colloquium on Computing, Communication, Control, and Management, (Sanya, China), pp. 365–369, IEEE, Aug. 2009.
[27] M. Khosravi-Farmad and A. Ghaemi-Bafghi, “Bayesian Decision Network-Based Security Risk Management Framework,” Journal of Network and Systems Management, vol. 28, pp. 1794–1819, Aug. 2020. Publisher: Springer Science and Business Media LLC.
[28] A. P. Henriques de Gusmao, M. Mendonc¸a Silva, ˜T. Poleto, L. Camara e Silva, and A. P. Cabral Seixas Costa, “Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory,” International Journal of Information Management, vol. 43, pp. 248–260, Dec. 2018.
[29] C. Y. Alonge, O. T. Arogundade, K. Adesemowo, F. T. Ibrahalu, O. J. Adeniran, and A. M. Mustapha, “Information asset classification and labelling model using fuzzy approach for effective security risk assessment,” in 2020 International Conference in Mathematics, Computer Engineering and Computer Science (ICMCECS), pp. 1–7, IEEE, 2020.
[30] I. Loloei, H. R. Shahriari, and A. Sadeghi, “A model for asset valuation in security risk analysis regarding assets’ dependencies,” in 20th Iranian Conference on Electrical Engineering (ICEE2012), pp. 763–768, IEEE, 2012.
[31] S.-C. Cha, L.-T. Liu, and B.-C. Yu, “Processoriented approach for validating asset value for evaluating information security risk,” in 2009 International Conference on Computational Science and Engineering, vol. 3, pp. 379–385, IEEE, 2009.
[32] P. Kamongi, M. Gomathisankaran, and K. Kavi, “Nemesis: Automated architecture for threat modeling and risk assessment for cloud computing,” in Proc. 6th ASE International Conference on Privacy, Security, Risk and Trust (PASSAT), 2014.
[33] Y.-j. Zhang, P. Liao, K.-z. Huang, and Y.-l. Liu, “An automatic approach for scoring vulnerabilities in risk assessment,” in 2nd International Conference on Electrical and Electronic Engineering (EEE 2019), pp. 256–261, Atlantis Press, 2019.
[34] I. H. Elifoglu, I. Abel, and O. Tas¸seven, “Minimizing insider threat risk with behavioral monitoring,” Review of business, vol. 38, no. 2, pp. 61–73, 2018.
[35] M. Rizwan, A. Shabbir, A. R. Javed, G. Srivastava, T. R. Gadekallu, M. Shabir, and M. A. Hassan, “Risk monitoring strategy for confidentiality of healthcare information,” Computers and Electrical Engineering, vol. 100, p. 107833, 2022.
[36] F. Den Braber, I. Hogganvik, M. S. Lund, K. Stølen, and F. Vraalsen, “Model-based security analysis in seven steps—a guided tour to the coras method,” BT Technology Journal, vol. 25, no. 1, pp. 101–117, 2007.
[37] L. Rajbhandari and E. Snekkenes, “Using the conflicting incentives risk analysis method,” in IFIP International Information Security Conference, pp. 315–329, Springer, 2013.
[38] D. Landoll, The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press, 2021.
[39] M. U. Aksu, M. H. Dilek, E. ˙ I. Tatlı, K. Bicakci, H. I. Dirik, M. U. Demirezen, and T. Aykır, “A quantitative cvss-based cyber security risk assessment methodology for it systems,” in 2017 International Carnahan Conference on Security Technology (ICCST), pp. 1–8, IEEE, 2017.
[40] M. Frigault, L. Wang, S. Jajodia, and A. Singhal, “Measuring the Overall Network Security by Combining CVSS Scores Based on Attack Graphs and Bayesian Networks,” in Network Security Metrics, pp. 1–23, The Capital Region of Denmark: Springer Charm, 2017.
[41] V. T. H. Giang and N. M. Tuan, “Application of Bayesian network in risk assessment for website deployment scenarios,” Journal of Science and Technology on Information security, vol. 2, pp. 3–16, Jan. 2022.
[42] J. Wang, K. Fan, W. Mo, and D. Xu, “A method for information security risk assessment based on the dynamic bayesian network,” in 2016 International Conference on Networking and Network Applications (NaNA), (Hakodate, Japan), pp. 279–283, IEEE, July 2016.
[43] H. Cervantes, R. Kazman, J. Ryoo, D. Choi, and D. Jang, “Architectural approaches to security: Four case studies,” Computer, vol. 49, no. 11, pp. 60–67, 2016.
[44] L. Song and M. Garc´ıa-Valls, “Improving security of web servers in critical iot systems through selfmonitoring of vulnerabilities,” Sensors, vol. 22, no. 13, p. 5004, 2022.
[45] C. E. Cirnu, C. I. Rotuna, A. V. Vevera, and R. Boncea, “Measures to mitigate cybersecurity risks and vulnerabilities in service-oriented architecture,” Stud. Inform. Control, vol. 27, no. 3, pp. 359–368, 2018.
[46] C. Kalloniatis, H. Mouratidis, and S. Islam, “Evaluating cloud deployment scenarios based on security and privacy requirements,” Requirements Engineering, vol. 18, no. 4, pp. 299–319, 2013.
[47] J. Kaur, A. I. Khan, Y. B. Abushark, M. M. Alam, S. A. Khan, A. Agrawal, R. Kumar, and R. A. Khan, “Security risk assessment of healthcare web application through adaptive neuro-fuzzy inference system: A design perspective,” Risk Management and Healthcare Policy, vol. 13, p. 355, 2020.
[48] M. Jouini and L. B. A. Rabai, “Comparative study of information security risk assessment models for cloud computing systems,” Procedia Computer Science, vol. 83, pp. 1084–1089, 2016.
[49] D. C. Amuthadevi, S. Srivastava, R. Khatoria, and V. Sangwan, “A study on web application vulnerabilities to find an optimal security architecture,” arXiv preprint arXiv:2204.07107, 2022.
[50] D. Wichers and J. Williams, “Owasp top-10 2017,” OWASP Foundation, vol. 3, p. 4, 2017.
Published
2023-03-18
Section
Regular Articles
