A Cost-Optimization Scheme Using Security Vulnerability Measurement for Efficient Security Enhancement

  • Park, Jun-Young (Dept. of Computer Science and Engineering, Kyung Hee University) ;
  • Huh, Eui-Nam (Dept. of Computer Science and Engineering, Kyung Hee University)
  • Received : 2018.04.12
  • Accepted : 2019.04.22
  • Published : 2020.02.29


The security risk management used by some service providers is not appropriate for effective security enhancement. The reason is that the security risk management methods did not take into account the opinions of security experts, types of service, and security vulnerability-based risk assessment. Moreover, the security risk assessment method, which has a great influence on the risk treatment method in an information security risk assessment model, should be security risk assessment for fine-grained risk assessment, considering security vulnerability rather than security threat. Therefore, we proposed an improved information security risk management model and methods that consider vulnerability-based risk assessment and mitigation to enhance security controls considering limited security budget. Moreover, we can evaluate the security cost allocation strategies based on security vulnerability measurement that consider the security weight.


Grant : Service mobility support distributed cloud technology

Supported by : Institute for Information & communications Technology Planning & Evaluation (IITP)


  1. Thales, "2017 Thales Data Threat Report: Trends in Encryption and Data Security (Global Edition)," 2017;
  2. Barbara Filkins, "IT Security Spending Trends," 2016;
  3. Ponemon Institute LLC, "2015 Global Study on IT Security Spending & Investments," 2015;
  4. A. Schilling and B. Werners, "Optimizing information security investments with limited budget," in Operations Research Proceedings 2014. Cham: Springer, 2016, pp. 493-499.
  5. A. Behnia, R. A. Rashid, and J. A. Chaudhry, "A survey of information security risk analysis methods," SmartCR, vol. 2, no. 1, pp. 79-94, 2012.
  6. Oepn Web Application Security Project, OWASP Top 10: The Top 10 Most Critical Web Application Security Threats: Enhanced with Text Analytics and Content by PageKicker Robot Phil 73. North Charleston, SC: CreateSpace Independent Publishing Platform, 2014.
  7. J. Y. Park, Y. R. Shin, K. H. Kim, and E. N. Huh, "Access control framework design for personal cloud," in Proceedings of the International Conference on Convergence Technology, Chiang Mai, Thailand, 2013, pp. 1578-1579.
  8. W. M. Kang, S. Y. Moon, and J. H. Park, "An enhanced security framework for home appliances in smart home," Human-centric Computing and Information Sciences, vol. 7, article no. 6, 2017.
  9. C. D. Huang and R. S. Behara, "Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints," International Journal of Production Economics, vol. 141, no. 1, pp. 255-268, 2013.
  10. N. J. Brown, K. A. Jones, L. K. Nozick, and N. Xu, "Multi-layered security investment optimization using a simulation embedded within a genetic algorithm," in Proceedings of 2015 Winter Simulation Conference (WSC), Huntington Beach, CA, 2015, pp. 2424-2435.
  11. H. Wang, Z. Chen, J. Zhao, X. Di, and D. Liu, "A vulnerability assessment method in industrial internet of things based on attack graph and maximum flow," IEEE Access, vol. 6, pp. 8599-8609, 2018.
  12. N. Gao, Y. He, and B. Ling, "Exploring attack graphs for security risk assessment: a probabilistic approach," Wuhan University Journal of Natural Sciences, vol. 23, no. 2, pp. 171-177, 2018.
  13. J. C. Maa, S. Chen, M. Li, and J. P. Yao, "A kind of hierarchical network vulnerability assessment model based on attack graph," in Computer Science and Artificial Intelligence: Proceedings of the International Conference on Computer Science and Artificial Intelligence (CSAI2016). Singapore: World Scientific Publishing, 2017.
  14. R. Dewri, I. Ray, N. Poolsappasit, and D. Whitley, "Optimal security hardening on attack tree models of networks: a cost-benefit analysis," International Journal of Information Security, vol. 11, no. 3, pp. 167-188, 2012.
  15. B. Kordy and W. Widel, "On quantitative analysis of attack-defense trees with repeated labels," in Principles of Security and Trust. Cham: Springer, 2018, pp. 325-346.
  16. P. Wang, W. H. Lin, P. T. Kuo, H. T. Lin, and T. C. Wang, "Threat risk analysis for cloud security based on Attack-Defense Trees," in Proceedings of 2012 8th International Conference on Computing Technology and Information Management (NCM and ICNIT), Seoul, Korea, 2012, pp. 106-111.
  17. Z. Tarmudi, N. W. D. Tamsin, and J. Janteng, "A fuzzy Delphi method to rank alternatives for industry selection," AIP Conference Proceedings, vol. 1974, article no. 020096, 2018.
  18. Y. Tian, B. Song, and E. N. Huh, "A novel Threat Evaluation method for privacy-aware system in RFID," International Journal of Ad Hoc and Ubiquitous Computing, vol. 8, no. 4, pp. 230-240, 2011.
  19. S. H. Na and E. N. Huh, "A broker-based cooperative security-SLA evaluation methodology for personal cloud computing," Security and Communication Networks, vol. 8, no. 7, pp. 1318-1331, 2015.
  20. L. A. Gordon and M. P. Loeb, "The economics of information security investment," ACM Transactions on Information and System Security (TISSEC), vol. 5, no. 4, pp. 438-457, 2002.
  21. A. Trufanov, N. Kinash, A. Tikhomirov, O. Berestneva, and A. Rossodivita, "Optimal information security investment in modern social networking," in Complex Networks VIII. Cham: Springer, 2017, pp. 175-182.
  22. D. Schatz and R. Bashroush, "Corporate information security investment decisions: a qualitative data analysis approach," International Journal of Enterprise Information Systems (IJEIS), vol. 14, no. 2, pp. 1-20, 2018.
  23. W. Sonnenreich, J. Albanese, and B. Stout, "Return on security investment (ROSI)-a practical quantitative model," Journal of Research and Practice in Information Technology, vol. 38, no. 1, pp. 45-56, 2006.
  24. N. Tsalis, M. Theoharidou, and D. Gritzalis, "Return on security investment for cloud platforms," in Proceedings of 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, Bristol, UK, 2013, pp. 132-137.
  25. A. Schilling and B. Werners, "A quantitative threat modeling approach to maximize the return on security investment in cloud computing," in Proceedings of the 1st International Conference on Cloud Security Management (ICCSM), Seattle, WA, 2013, pp. 68-78.
  26. Information technology - Security techniques - Information security risk management, ISO/IEC 27005:2011, 2011.
  27. K. Bernsmed, M. G. Jaatun, P. H. Meland, and A. Undheim, "Security SLAs for federated cloud services," in Proceedings of 2011 6th International Conference on Availability, Reliability and Security, Vienna, Austria, 2011, pp. 202-209.
  28. N. Al-Safwani, Y. Fazea, and H. Ibrahim, "ISCP: in-depth model for selecting critical security controls," Computers & Security, vol. 77, pp. 565-577, 2018.
  29. M. S. Lund, B. Solhaug, and K. Stolen, Model-Driven Risk Analysis: The CORAS Approach. Heidelberg: Springer, 2010.
  30. A. Aviad, K. Wecel, and W. Abramowicz, "Semantic risk assessment for cybersecurity," in Proceedings of International Conference on Cyber Warfare and Security, Washington, DC, 2018, pp. 513-520.
  31. A. Sharma, V. Pal, N. Ojha, and R. Bajaj, "Risks assessment in designing phase: its impacts and issues," in Analyzing the Role of Risk Mitigation and Monitoring in Software Development. Hershey, PA: IGI Global, 2018, pp. 46-60.
  32. N. Chauhan, N. Singh, and B. Nagpal, "A survey on the detection of SQL injection attacks and their countermeasures," Journal of Information Processing Systems, vol. 13, no. 4, pp. 689-702, 2017.
  33. M. D. Nguyen, N. T. Chau, S. Jung, and S. Jung, "A demonstration of malicious insider attacks inside cloud IaaS vendor," International Journal of Information and Education Technology, vol. 4, no. 6, pp. 483-486, 2014.
  34. P. Wang and M. Ratchford, "Integrated methodology for information security risk assessment," in Information Technology-New Generations. Cham: Springer, 2018, pp. 147-150.
  35. J. Kar and M. R. Mishra, "Mitigating threats and security metrics in cloud computing," Journal of Information Processing Systems, vol. 12, no. 2, pp. 226-233, 2016.