Framework for Assessing Information System Security Posture Risks
Abstract
In today’s data-driven world, Information Systems, particularly the ones operating in regulated industries, require comprehensive security frameworks to protect against loss of confidentiality, integrity, or availability of data, whether due to malice, accident or otherwise. Once such a security framework is in place, an organization must constantly monitor and assess the overall compliance of its systems to detect and rectify any issues found. This thesis presents a technique and a supporting toolkit to first model dependencies between security policies (referred to as controls) and, second, devise models that associate risk with policy violations. Third, devise algorithms that propagate risk when one or more policies are found to be non-compliant and fourth, propose a technique that evaluates the overall security posture risk of a system as a function of the non-compliant policies, the affected policies, and the time elapsed since these policy violations discovered but not have been mitigated yet. More specifically, the approach is based on modeling the dependencies between the different controls in the NIST 800.53 framework by compiling a dependency multi-graph, devising a fuzzy-reasoning-based risk assessment technique that traverses the dependency multi-graph and assigns an overall security exposure risk score when one or more controls fail, and finally a technique for identifying the strategies an attacker can use, given the failed controls, and for which an organization should defend itself. This approach allows organizations to obtain a bird’s-eye view of their Information Systems’ cyber security posture and help triage the security control checks by focusing on the most vulnerable parts of their Information System ecosystem.