Paper Abstract and Keywords |
Presentation |
2021-01-18 15:50
[Invited Talk]
Risk Analysis Methods and Actual Conditions in Cyber Security Kentaro Sonoda, Haruka Nakashima (NEC) IN2020-49 |
Abstract |
(in Japanese) |
(See Japanese page) |
(in English) |
Risks in corporations mean business risks, and a cyber security (cyber attack) is positioned as one of the important business risks. Risks in cyber security are generally analyzed and evaluated based on vulnerabilities and threats information. For example, Common Vulnerability Scoring System (CVSS) is popular as a vulnerability evaluation method. However, existing methods, including CVSS, calculate the severity of vulnerability by comprehensively judging a large number of evaluation items. Therefore, there can be differences between risk values calculated by these methods and judged by evaluators (penetration testers) who consider the characteristics of the business environment.
Thus, we defined two types of evaluation criteria on a risk: the impact and the exploitability. The former is the degree of influence on the business based on the existing methods. The latter is the possibility of successful attacks that is reflected on the environment and conditions of the attacks from the perspective of attackers. We conducted evaluations through vulnerability assessments and penetration tests using our criteria. As a result, it worked for the evaluators to determine the priority of countermeasures in accordance with the business environment based on some factors such as the configuration of the system, the possible attack methods and the lessons learned from past security accidents. On the other hand, we found an issue that the result of judgements depends on the evaluators because the criteria for weighting the importance measure of CIA (Confidentiality, Integrity and Availability) on the business are only qualitative at present. In order to make a more accurate evaluation, we need more quantitative criteria. In the future, we will work on optimizing the evaluation by solving such a problem. |
Keyword |
(in Japanese) |
(See Japanese page) |
(in English) |
Cyber Security / Risk Analysis / CVSS / Vulnerability Assessment / Penetration Test / / / |
Reference Info. |
IEICE Tech. Rep., vol. 120, no. 311, IN2020-49, pp. 37-37, Jan. 2021. |
Paper # |
IN2020-49 |
Date of Issue |
2021-01-11 (IN) |
ISSN |
Online edition: ISSN 2432-6380 |
Copyright and reproduction |
All rights are reserved and no part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission in writing from the publisher. Notwithstanding, instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. (License No.: 10GA0019/12GB0052/13GB0056/17GB0034/18GB0034) |
Download PDF |
IN2020-49 |
Conference Information |
Committee |
IN |
Conference Date |
2021-01-18 - 2021-01-19 |
Place (in Japanese) |
(See Japanese page) |
Place (in English) |
Online |
Topics (in Japanese) |
(See Japanese page) |
Topics (in English) |
Contents Distribution, Social Networking Services, Data Analytics and Processing Platform, Big data, etc. |
Paper Information |
Registration To |
IN |
Conference Code |
2021-01-IN |
Language |
Japanese |
Title (in Japanese) |
(See Japanese page) |
Sub Title (in Japanese) |
(See Japanese page) |
Title (in English) |
Risk Analysis Methods and Actual Conditions in Cyber Security |
Sub Title (in English) |
|
Keyword(1) |
Cyber Security |
Keyword(2) |
Risk Analysis |
Keyword(3) |
CVSS |
Keyword(4) |
Vulnerability Assessment |
Keyword(5) |
Penetration Test |
Keyword(6) |
|
Keyword(7) |
|
Keyword(8) |
|
1st Author's Name |
Kentaro Sonoda |
1st Author's Affiliation |
NEC Corporation (NEC) |
2nd Author's Name |
Haruka Nakashima |
2nd Author's Affiliation |
NEC Corporation (NEC) |
3rd Author's Name |
|
3rd Author's Affiliation |
() |
4th Author's Name |
|
4th Author's Affiliation |
() |
5th Author's Name |
|
5th Author's Affiliation |
() |
6th Author's Name |
|
6th Author's Affiliation |
() |
7th Author's Name |
|
7th Author's Affiliation |
() |
8th Author's Name |
|
8th Author's Affiliation |
() |
9th Author's Name |
|
9th Author's Affiliation |
() |
10th Author's Name |
|
10th Author's Affiliation |
() |
11th Author's Name |
|
11th Author's Affiliation |
() |
12th Author's Name |
|
12th Author's Affiliation |
() |
13th Author's Name |
|
13th Author's Affiliation |
() |
14th Author's Name |
|
14th Author's Affiliation |
() |
15th Author's Name |
|
15th Author's Affiliation |
() |
16th Author's Name |
|
16th Author's Affiliation |
() |
17th Author's Name |
|
17th Author's Affiliation |
() |
18th Author's Name |
|
18th Author's Affiliation |
() |
19th Author's Name |
|
19th Author's Affiliation |
() |
20th Author's Name |
|
20th Author's Affiliation |
() |
Speaker |
Author-1 |
Date Time |
2021-01-18 15:50:00 |
Presentation Time |
50 minutes |
Registration for |
IN |
Paper # |
IN2020-49 |
Volume (vol) |
vol.120 |
Number (no) |
no.311 |
Page |
p.37 |
#Pages |
1 |
Date of Issue |
2021-01-11 (IN) |
|