This Is AuburnElectronic Theses and Dissertations

Quantitative Risk Assessment Model for Software Security in the Design Phase of Software Development

Date

2009-05-15

Author

Mkpong-Ruffin, Idongesit

Type of Degree

Dissertation

Department

Computer Science and Software Engineering

Abstract

Risk analysis is a process for considering possible risks and determining,which are the most significant for any particular effort. Determining which risks to address and the optimum strategy for mitigating said risks is often an intuitive and qualitative process. An objective view of the risks inherent in a development effort requires a quantitative risk model. Quantitative risk models used in determining which risk factors to focus on tend to use a traditional approach of annualized loss expectancy (ALE)which is based on frequency of occurrence and the exposure factor (EF) which is the percentage of asset loss due to the potential threat in question. This research uses empirical data that reflects the security posture of each vulnerability to calculate Loss Expectancy; a risk impact estimator. Data from open source vulnerability databases and results of predicted threat models are used as input to the risk model. Security factors that take into account the innate characteristics of each vulnerability are incorporated into the calculation of the risk model. The result of this model is an assessment of the potential threats to a development effort and a ranking of these threats based on the risk metric calculation.