A qualitative and quantitative risk assessment method in software security

Author

Zhang, Yi-kun ; Jiang, Su-yang ; Cui, Ying-an ; Zhang, Bao-wei ; Xia, Hui

Author_Institution

Sch. o.f Comput. Sci. & Eng., XAUT, Xi´´an, China

Volume

1

fYear

2010

fDate

20-22 Aug. 2010

Abstract

Focusing on the software security risk assessment, this paper adopts the combination of the attack tree model analysis and the Bayesian Network analysis, which takes the advantage of both qualitative analysis and quantitative analysis to assess risks of software security. By the construction and pruning of the attack tree model, this method narrow down the scope of threats that are generated by software system at first. With a preliminary control of risk probability, and through the prior probability value, the conditional probability table and the Bayesian formula, this method can assess the risk probability of the software system accurately. Finally the risk assessment method makes up the deficiency of single risk assessment method, won more accurate evaluation results. It can obtain the software project risk rank more accurate and carries on the defense and the recovery to the risk partial modules.

Keywords

belief networks; risk analysis; security of data; statistical analysis; trees (mathematics); Bayesian formula; Bayesian network analysis; attack tree model analysis; conditional probability table; qualitative risk assessment method; quantitative risk assessment method; risk probability; software security; Attack Tree Model; Bayesian Network; Software; Trustworthy;

fLanguage

English

Publisher

ieee

Conference_Titel

Advanced Computer Theory and Engineering (ICACTE), 2010 3rd International Conference on

Conference_Location

Chengdu

ISSN

2154-7491

Print_ISBN

978-1-4244-6539-2

Type

conf

DOI

10.1109/ICACTE.2010.5578960

Filename

5578960