Security risk metrics: fusing enterprise objectives and vulnerabilities
- Resource Type
- Conference
- Authors
- Clark, K.; Dawkins, J.; Hale, J.
- Source
- Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop Systems, man and cybernetics Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC. :388-393 2005
- Subject
- Communication, Networking and Broadcast Technologies
Computing and Processing
Information security
Risk management
Risk analysis
Data security
Testing
Network synthesis
Information technology
Costs
NIST
- Language
Automated scanners are unable to generate the information required to properly assess a network's risk. Although scanners may identify high risk exposures, they fail to determine how those exposures affect an organization's objectives. Such an assessment requires an auditor to identify the objectives and their relationship to network hosts. Mission trees allow security auditors to map relationships between an organization's objectives and its assets. Synthesizing this data with a vulnerability scanner lends itself to creating meaningful enterprise security metrics.