Home Contact Us Site Map

Center for Systems and Software Engineering

About us
Research Overview
Tool
Publications
Call for Participate

 
Last update: July 2009

Security Ecnomics and Threat Modeling for IT Systems

- A Stakeholder Value Driven Approach

About us

Dr. Yue (Bill) Chen is the leading person of this research initiative sponsored by NSF. He is currently a Visiting Research Associate at CSSE, working closely with Dr. Barry W. Boehm at the University of Southern California. He received his Bachalor degree in Electrical Engineering from the University of Science and Technology of China in 1997. His research interest includes Security Ecomonics, Software Life-cycle Processes and Management, Computer Security, Off-The-Shelf Software Systems and Software Cost Estimation. He is a member of the Common Vulnerability Scoring System - Special Interest Group (CVSS-SIG), and actively contributing to the CVSSCost project.

Previously, he interned at Cisco MRBU Security Team (San Jose, CA, 2007) as a Software Engineer contributed to the VPN and ACL features for the Cisco 7300 mid-range routers. Also, he interned at Microsoft (Seattle, WA, 2005) as a Program Manager responsible for the Extranet user authentication and licensing control feature of the MS Small Business Server. In addition, he worked at Infosec Corp. (Beijing, China, 1998-2000) as a Project Manager and coordinated the development of Internet Bank user authentication and secure data communication software.

He can be reached by email at chen.yue@acm.org.

 

Research Overview

In the past decade, IT Security has been recognized as a mission-critical factor to the sucess of many organizations whose daily business heavily relies upon a healthy IT infrastructure. Unfortunately, often, the IT security budget is very much limited. According to the 2006 CSI/FBI survey, about 47% of the Fortune 500 firms spent only equal or less than 2% of their total IT budget on security. To date, it is still very difficult for management to reason how much security is enough. Competing with often limited amount of resources, how do we invest IT security smartly? Our research approaches the answer to this question with tangible and quantitative evidence.

The goal of our research is to help IT security managers:

  • Prioritize system security threats and vulnerabilities with respect to business context and stakeholder values
  • Measure the cost-effectiveness of common security practices such as Firewall, system patching and hardening, enhancing physical security, creating backup systems, and data encryption.
  • Visualize the economic payoff curve for IT security investment with tangiable evidence
  • Identify the "sweet spot" to invest for IT security

We have devised a quantitative model, the Threat Modeling framework based on Attack Path analysis (T-MAP), to measure and prioritize security threats by calculating the total severity weights of relevant attacking paths for IT systems. Compared to existing approaches, T-MAP is dynamic and sensitive to system stakeholder value priorities and IT environment. It distills the technical details of more than 23,000 known software vulnerabilities into management-friendly numbers at a high-level.

Specifically, T-MAP involves the following steps: Step 1: Identify key stakeholders and value propositions (the treasures in the castle); Step 2: Establish a set of security evaluation criteria based on stakeholder value propositions; Step 3: Enumerate and analyze attack paths based on a comprehensive COTS vulnerability database containing 27,400 vulnerability information (the holes); Step 4: Evaluate the severity of each scenario in terms of numeric ratings against the evaluation criteria established in Step 2 (the size of the holes); Step 5: the security threat of each vulnerability is quantified with the total severity ratings of all attack paths that are relevant to this vulnerability; Step 6 System total threat is quantified with the total severity ratings of all attack paths; Step 7 the effectiveness of security practices such as Firewall and Software patching/hardening can be derived by (1) analyzing what are the attack paths it can suppress, and (2) comparing the system security threat weight before and after taking the practice. Step 3-7 are automated by the Tiramisu Tool that we developed at CSSE.

T-MAP has been tested at several organizations including the USC Information Services Division (ISD), the Manual Art Senior High-school (MASH), and the African Millennium Foundation (AMF). In its initial usage, T-MAP has demonstrated significant strength in Commercial Off The Shelf (COTS) software vulnerability prioritizing and estimating security investment effectiveness, as well as COTS security assessment in early project life-cycle. Our client commented the framework as "a valuable way of quantifying the very difficult tradeoffs that we have to make everyday".

Back to the top



Tiramisu Tool

We have developed a tool named Tiramisu that automates T-MAP to reduce the necessary human effort involved in security assessment. Tiramisu can enumerate the possible attack scenarios for IT systems based on a vulnerability database that includes the information of more than 27,400 known software vulnerabilities. Specifically, each attack scenario is specified with the following information:

  • The organizational value affected
  • The vulnerable computer
  • The vulnerable software
  • The CVE name of the vulnerability
  • The impact type of the vulnerability in terms of confidentiality, integrity, and/or availability
  • The patch availability of the vulnerability

Furthermore, Tiramisu Tool can provide tangiable evidence to assess the effectiveness of common security practices such as Firewall, system patching and hardening, enhancing physical security, creating backup systems, and data encryption.

As part of a case study conducted at USC ITS, the following example screenshot illustrates the Tiramisu output that enumerates the attach scenarios. Details can be found in this paper (pdf).

The following example illustrates the ecomonic curve of security investment generated from the above results. It helps security managers identify the "sweet spot" to invest in security patching. Details can be found in this paper (pdf).

Back to the top


Selected Publications

Ed Colbert, Barry Boehm, "Cost Estimation for Secure Software & Systems," ISPA / SCEA 2008 Joint International Conference

• Yue Chen, "Security Economics and Threat Modeling Based on Attack Path Analysis: - A Stakeholder Value Driven Approach", PhD Dissertation, Nov 2007

• Yue Chen, Barry Boehm, Luke Sheppard, "Measuring Security Investment Benefit for Off the Shelf Software Systems - A Stakeholder Value Driven Approach", The 2007 Workshop on the Economics of Information Security (WEIS 2007), June 2007

• Yue Chen, " Stakeholder Value Driven Threat Modeling for Off The Shelf Based Systems", The 29 th International Conference on Software Engineering (ICSE) , Doctoral Symposium, to appear in May, 2007

• Yue Chen, Barry Boehm, Luke Sheppard, "Measuring Security Investment Benefit for COTS Based Systems - A Stakeholder Value Driven Approach", CSSE Tech Report 2006-609, September 2006

• Yue Chen, Barry Boehm, Luke Sheppard, " Value Driven Security Threat Modeling Based on Attacking Path Analysis", The 40th Hawaii International Conference on System Sciences, Big Island, Hawaii, U.S. January 3-6, 2007

•  Ed Colbert, Dan Wu, Yue Chen, Dr. Barry Boehm, Cost Estimation for Secure Software & Systems, (Abstract), ISPA, Seattle, WA, 2006

Workshop and Presentations

• Yue Chen, Security Economics and Threat Modeling for Off-The-Shelf Systems, Workshop Tutorial, Workshop on Integrating Systems and Software Engineering, Los Angeles, Oct. 31, 2007

• Yue Chen, Value Driven Security Threat Modeling for Off The Shelf Software Systems, Workshop Presentation, the CSSE Annual Research Review, Los Angeles, Feb. 12-15, 2007

• Yue Chen, COTS Based System Security Economics, Workshop Presentation in the CSSE Convocation, Los Angeles, Oct. 23-26, 2006

•  Edward Colbert, Dan Wu, Yue Chen, Barry Boehm, Costing Security Systems, Presentation in the 18th International Forum on COCOMO and Software Cost Modeling (Oct. 26-29, 2004)

• Yue Chen, Barry Boehm, Winsor Brown, Ray Madachy, Estimate eServices Product Size with UML Metrics, Presentation in the CSE-Annual Research Review ( March 16-19, 2004 )

•  Yue Chen , Barry Boehm, Ray Madachy, Ricardo Valerdi, Results of eServices Product Sizing Metric Correlations, Presentation in the 18th International Forum on COCOMO and Software Cost Modeling (Oct. 21-24, 2003)

•  Edward Colbert, Dan Wu, Yue Chen, Don Reifer, Barry Boehm, Costing Secure Systems, Presentation in the 18th International Forum on COCOMO and Software Cost Modeling (Oct. 21-24, 2003)

Back to the top

Call to Participate

In order to further mature and validate this exciting technology, we are looking for opportunities to collabrate with IT managers, system administrators and IT practitioners and help them to

  • Identify what are the security vulnerabilities reside in their system and how they may affect the organization
  • Prioritize system security threats and vulnerabilities with respect to business context and stakeholder values
  • Compare and measure the cost-effectiveness of common security practices such as Firewall, system patching and hardening, enhancing physical security, creating backup systems, and data encryption, if interested
  • Visualize the economic payoff curve for IT security investment with tangiable evidence, if interested
  • Identify the "sweet spot" to invest for IT security, if interested

Back to the top