Open Access Open Access  Restricted Access Subscription Access


Igor Kotenko, Elena Doynikova


The paper suggests the multilevel approach to the risk assessment that is based on the system of security metrics and techniques for their calculation. Proposed techniques are based on attack graphs and service dependencies. They allow evaluating security of network topologies, malefactors and attack characteristics, and integral security properties and characteristics calculated on the basis of the cost-benefit and zero-day vulnerability analysis. Classification of these characteristics and separation of the security information on static, dynamic and historical allows defining different assessment levels. The paper considers the main issues and recommendations for using the risk assessment techniques based on the suggested approach.


Cyber security; security metrics; risk assessment; attack graphs; service dependencies.

Full Text:



M. S. Ahmed, E. Al-Shaer, L. Khan, A novel quantitative approach for measuring network security, Proceedings of the 27th Conference on Computer Communications (INFOCOM'08), Phoenix, AZ, USA (April 13-18, 2008), pp. 1957-1965.

C. W. Axelrod, Accounting for value and uncertainty in security metrics, Information Systems Control Journal, (6) (2008), pp. 1-6.

R. Barabanov, S. Kowalski, L. Yngstrom, Information Security Metrics. State of the Art, DSV Report series, No. 11-007 (March 2011).

N. Bartol, Practical measurement framework for software assurance and information security (Version 1.0), Software Assurance Measurement Working Group (2008). Available at

B. A. Blakely, Cyberprints Identifying cyber attackers by feature analysis, Doctoral Dissertation, Iowa State University, 2012.

Common Configuration Enumeration (СCE) [Electronic resource]. Available at

The CIS Security Metrics, The Center for Internet Security, 2009.

Common Platform Enumeration (CPE) [Electronic resource]. Available at

Common Vulnerabilities and Exposures (CVE). [Electronic resource]. Available at

R. Dantu, P. Kolan, J. Cangussu, Network risk management using attacker profiling, Security and Communication Networks, (1) (2009), pp. 83-96.

L. Hayden, IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data, McGraw-Hill, 2010, 396 p.

D. S. Herrmann, Complete Guide to Security and Privacy Metrics, Auerbach Publications, 2007, 848 p.

K. J. S. Hoo, How much is enough? A risk-management approach to computer security, PhD thesis, Stanford University, CA, 2000.

N. C. Idika, Characterizing and Aggregating Attack Graph-based Security Metrics, CERIAS Tech Report 2010-23, Center for Education and Research Information Assurance and Security, Purdue University, August 2010.

ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, 2008.

M. Jahnke, C. Thul and P. Martini, Graph-based metrics for intrusion response measures in computer networks, Proceedings of the 3rd IEEE Workshop on Network Security, held in conjunction with 32nd IEEE Conference on Local Computer Networks, Dublin (2007).

W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, J. Araujo, Automated reaction based on risk analysis and attackers skills in intrusion detection systems, Proceedings of the third International Conference on Risks and Security of Internet and Systems (CRiSIS'08), Toezer, Tunisia (2008), pp. 117-124.

N. Kheir, Response policies & counter-measures: Management of service dependencies and intrusion and reaction impacts, PhD Thesis, Telecom Bretagne, 2010.

N. Kheir, N. Cuppens-Boulahia, F. Cuppens, H. Debar, A service dependency model for cost-sensitive intrusion response, Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS'10), Athens, Greece (2010), pp. 626-642.

I. Kotenko, M. Stepashkin, Attack graph based evaluation of network security, Proceedings of the 10th IFIP Conference on Communications and Multimedia Security (CMS'2006), Heraklion, Greece (2006), pp. 216-227.

I. Kotenko, E. Doynikova, Security metrics for risk assessment of distributed information systems, Proceedings of the IEEE 7th International Conference on “Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications” (IDAACS'2013), Berlin, Germany, pp. 646-650.

I. Kotenko, A. Chechulin, and E. Novikova, Attack Modelling and Security Evaluation for Security Information and Event Management, Proceedings of the International Conference on Security and Cryptography (SECRYPT 2012), Rome, Italy, pp. 391-394.

I. Kotenko, A. Chechulin, Common Framework for Attack Modeling and Security Evaluation in SIEM Systems, Proceedings of the 2012 IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing, Besancon, France, IEEE Computer Society, Los Alamitos, California (2012), pp. 94-101.

I. Kotenko and A. Chechulin, Attack Modeling and Security Evaluation in SIEM Systems, International Transactions on Systems Science and Applications, (8) 2012, pp. 129-147.

I. Kotenko and A. Chechulin, A Cyber Attack Modeling and Impact Assessment Framework, 5th International Conference on Cyber Conflict 2013 (CyCon 2013), Proceedings. IEEE and NATO COE Publications, Tallinn, Estonia, pp. 119-142.

J. M. Lorenzo, AlienVault Users Manual. Version 1.0, AlienVault, 2010-2011.

P. K. Manadhata, J. M. Wing, An attack surface metric, IEEE Transactions on Software Engineering, (37) 3 (2011), pp. 371-386.

A. Mayer, Operational Security Risk Metrics: Definitions, Calculations, Visualizations, Metricon 2.0. CTO RedSeal Systems, 2007.

P. Mell, K. Scarfone, S. Romanosky, A Complete Guide to the Common Vulnerability Scoring System Version 2.0, June 2007.

National Institute of Standard and Technologies. Available at

T. R. Peltier, How to complete a risk assessment in 5 days or less, Auerbach publications, 2008, 55 p.

T. Olsson, Assessing security risk to a network using a statistical model of attacker community competence, Proceedings of the 11th International Conference on Information and Communications Security (ICICS'2009), Beijing, China, pp. 308-324.

N. Poolsappasit, R. Dewri, I. Ray, Dynamic security risk management using Bayesian attack graphs, IEEE Transactions on Dependable and Security Computing, (9) 1 (2012), pp. 61-74.

S. Quinn, D. Waltermire, C. Johnson, K. Scarfone, J. Banghart, The technical specification for the security content automation protocol (Version 1.0), Gaithersburg, MD: National Institute of Standards and Technology, 2009. Available at

N. Stakhanova, S. Basu, and J. Wong, A cost-sensitive model for preemptive intrusion response systems, Proceedings of the 21st International Conference on Advanced Networking and Applications, Washington, DC, USA, IEEE Computer Society (2007), pp. 428-435.

T. Toth and C. Kruegel, Evaluating the impact of automated intrusion response mechanisms, 18th Annual Computer Security Applications Conference (ACSAC), 2002, pp.301-310.

L. Wang, A. Singhal, S. Jajodia, and S. Noel, k-zero day safety: measuring the security risk of networks against unknown attacks, Proceedings of the 15th European conference on Research in computer security, Springer-Verlag Berlin, Heidelberg (2010), pp. 573-587.

Y.-S. Wu, B. Foo, Y.-C. Mao, S. Bagchi, and E. H. Spafford, Automated adaptive intrusion containment in systems of interacting services, Computer Networks: The International Journal of Computer and Telecommunications Networking, (51) (2007), pp. 1334-1360.


  • There are currently no refbacks.