Information Security Risk Assessment Methodologies in Vulnerability Assessment of Information Systems

Aliaksandr Astafyeu

AbstractFortConsult A/S performs so called penetration tests (pentests) within clients' organizations to find possible ways that attackers could follow to affect the organizations' assets. Currently, FortConsult uses a modification of the risk assessment model called DREAD to classify vulnerabilities identified during pentests. This classification provides clients with information about the priority of vulnerabilities (e.g. critical, high, middle, low), allowing them to understand which of vulnerabilities they have to care of first.
This project has several goals:
- To analyze the use of the DREAD model, particularly it's advantages and disadvantages, and provide practical examples of its efficiency. This analysis should also examine different fields of application, such as wireless tests, web app tests, internal infrastructure tests, denial of service tests, etc.
- To study the current implementation of the DREAD model within FortConsult and determine how it fits the company's needs. This means to perform an analysis of data taken from the previous and current pentests. As a result, we must answer if the DREAD model results are appropriately related to the real issues of the clients' organizations, for example if it helps reduce their costs of information security etc. It will help to understand the strengths and weaknesses of the current implementation of DREAD.
- Using the collected data and the experience gained from analyzing the DREAD model, we are going to study existing risks assessment models to determine if there is one which better fits the company's needs.
The project should determine whether the existing implementation of DREAD model may be adjusted and improved. After comparing all the appropriate models, FortConsult may decide to test and integrate other model for their purposes. The proposed analysis will be performed within a particular company, but the expected results may have more general applications, such as a general approach for measuring the efficiency of information security risks assessment models.
TypeMaster's thesis [Industrial collaboration]
Year2015
PublisherTechnical University of Denmark, Department of Applied Mathematics and Computer Science
AddressRichard Petersens Plads, Building 324, DK-2800 Kgs. Lyngby, Denmark, compute@compute.dtu.dk
SeriesDTU Compute M.Sc.-2015
NoteDTU supervisor: Christian D. Jensen, cdje@dtu.dk, DTU Compute
Electronic version(s)[pdf]
Publication linkhttp://www.compute.dtu.dk/english
BibTeX data [bibtex]
IMM Group(s)Computer Science & Engineering