| Presentation | 2021-01-18 [Invited Talk] Risk Analysis Methods and Actual Conditions in Cyber Security Kentaro Sonoda, Haruka Nakashima, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Risks in corporations mean business risks, and a cyber security (cyber attack) is positioned as one of the important business risks. Risks in cyber security are generally analyzed and evaluated based on vulnerabilities and threats information. For example, Common Vulnerability Scoring System (CVSS) is popular as a vulnerability evaluation method. However, existing methods, including CVSS, calculate the severity of vulnerability by comprehensively judging a large number of evaluation items. Therefore, there can be differences between risk values calculated by these methods and judged by evaluators (penetration testers) who consider the characteristics of the business environment. Thus, we defined two types of evaluation criteria on a risk: the impact and the exploitability. The former is the degree of influence on the business based on the existing methods. The latter is the possibility of successful attacks that is reflected on the environment and conditions of the attacks from the perspective of attackers. We conducted evaluations through vulnerability assessments and penetration tests using our criteria. As a result, it worked for the evaluators to determine the priority of countermeasures in accordance with the business environment based on some factors such as the configuration of the system, the possible attack methods and the lessons learned from past security accidents. On the other hand, we found an issue that the result of judgements depends on the evaluators because the criteria for weighting the importance measure of CIA (Confidentiality, Integrity and Availability) on the business are only qualitative at present. In order to make a more accurate evaluation, we need more quantitative criteria. In the future, we will work on optimizing the evaluation by solving such a problem. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Cyber Security / Risk Analysis / CVSS / Vulnerability Assessment / Penetration Test |
| Paper # | IN2020-49 |
| Date of Issue | 2021-01-11 (IN) |
| Conference Information | |
| Committee | IN |
|---|---|
| Conference Date | 2021/1/18(2days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | Online |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | Contents Distribution, Social Networking Services, Data Analytics and Processing Platform, Big data, etc. |
| Chair | Kenji Ishida(Hiroshima City Univ.) |
| Vice Chair | Kunio Hato(Internet Multifeed) |
| Secretary | Kunio Hato(Hiroshima City Univ.) |
| Assistant | |
| Paper Information | |
| Registration To | Technical Committee on Information Networks |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | [Invited Talk] Risk Analysis Methods and Actual Conditions in Cyber Security |
| Sub Title (in English) | |
| Keyword(1) | Cyber Security |
| Keyword(2) | Risk Analysis |
| Keyword(3) | CVSS |
| Keyword(4) | Vulnerability Assessment |
| Keyword(5) | Penetration Test |
| 1st Author's Name | Kentaro Sonoda |
| 1st Author's Affiliation | NEC Corporation(NEC) |
| 2nd Author's Name | Haruka Nakashima |
| 2nd Author's Affiliation | NEC Corporation(NEC) |
| Date | 2021-01-18 |
| Paper # | IN2020-49 |
| Volume (vol) | vol.120 |
| Number (no) | IN-311 |
| Page | pp.pp.37-37(IN), |
| #Pages | 1 |
| Date of Issue | 2021-01-11 (IN) |