Proactive risk management in information systems

Managing security risks is one of the major challenges in modern information systems. Threats often come via the World Wide Web and are therefore difficult to predict. Thus, attackers can always be a step ahead of us and reactive approach based on known security incidents is not sufficient. A much higher security level can be achieved by active detection and neutralization of software vulnerabilities. When a large number of vulnerabilities are present in the system, they have to be prioritized for removal according to their severity. With a proactive approach, where we foresee which vulnerabilities will be more likely exploited in practice, the highest level of security can be assured. A widely used prioritization policy based upon a CVSS (Common Vulnerability Scoring System) score is frequently criticised for bad effectiveness. The main reason is that the CVSS score alone is not a good predictor of vulnerability exploitation in the wild. One of the key challenges in this area is therefore to identify the indicators of exploitation. Since the exploitation of vulnerability is basically a human threat, it is reasonable to take into account the characteristics of typical attackers. We propose several methods for setting priorities that take this into account. Methods have to be compared according to their effectiveness in risk mitigation. To this end, we have developed a valuation model that allows such comparisons. Proposed methods, which take into account human threats, were compared with the most popular existing methods. In the experiment we used vulnerability data from publicly available databases. Experimental results show that methods which take into account the characteristics of attackers are generally more effective than existing methods. The effectiveness was also confirmed in some real cases of information systems in practice