Ändra sökning
Avgränsa sökresultatet
1 - 43 av 43
RefereraExporteraLänk till träfflistan
Permanent länk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Träffar per sida
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sortering
  • Standard (Relevans)
  • Författare A-Ö
  • Författare Ö-A
  • Titel A-Ö
  • Titel Ö-A
  • Publikationstyp A-Ö
  • Publikationstyp Ö-A
  • Äldst först
  • Nyast först
  • Skapad (Äldst först)
  • Skapad (Nyast först)
  • Senast uppdaterad (Äldst först)
  • Senast uppdaterad (Nyast först)
  • Disputationsdatum (tidigaste först)
  • Disputationsdatum (senaste först)
  • Standard (Relevans)
  • Författare A-Ö
  • Författare Ö-A
  • Titel A-Ö
  • Titel Ö-A
  • Publikationstyp A-Ö
  • Publikationstyp Ö-A
  • Äldst först
  • Nyast först
  • Skapad (Äldst först)
  • Skapad (Nyast först)
  • Senast uppdaterad (Äldst först)
  • Senast uppdaterad (Nyast först)
  • Disputationsdatum (tidigaste först)
  • Disputationsdatum (senaste först)
Markera
Maxantalet träffar du kan exportera från sökgränssnittet är 250. Vid större uttag använd dig av utsökningar.
  • 1.
    Andersson, Dennis
    et al.
    Swedish Defense Research Agency.
    Granåsen, Magdalena
    Swedish Defense Research Agency.
    Sundmark, Thomas
    Swedish Defense Research Agency.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Hallberg, Jonas
    Swedish Defense Research Agency.
    Exploratory Sequential Data Analysis of a Cyber Defence Exercise2011Ingår i: Proceedings of the International Defense and Homeland Security Simulation Workshop (DHSS) 2011, Caltek s.r.l. , 2011, s. 27-32Konferensbidrag (Refereegranskat)
    Abstract [en]

    Baltic Cyber Shield 2010 (BCS), a multi-national civilmilitary cyber defence exercise (CDX), aimed to improve the capability of performing a CDX and investigate how IT attacks and defence of critical infrastructure can be studied. The exercise resulted in a massive dataset to be analyzed and many lessons learned in planning and executing a large-scale multinational CDX. A reconstruction & exploration (R&E) approach was used to capture incidents such as attacks and defensive counter-measures during the exercise. This paper introduces the usage of R&E combined with exploratory sequential data analysis (ESDA) and discusses benefits and limitations of using these methods for analyzing multi-national cyber defence exercises. Using ESDA we were able to generate statistical data on attacks from BCS, such as number of reported attacks by the attackers and the defenders on different type of services. Initial results from these explorations will be analyzed and discussed.

  • 2.
    Buschle, Markus
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Shahzad, Khurram
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A tool for automatic enterprise architecture modeling2011Ingår i: Proceedings of the CAiSE Forum 2011, 2011, s. 25-32Konferensbidrag (Refereegranskat)
    Abstract [en]

    Enterprise architecture is an approach which aim to provide decision support based on organization-wide models. The creation of these models is however cumbersome as multiple aspects of an organization need to be considered. The Enterprise Architecture approach would be significantly less demanding if data used to create the models could be collected automatically. This paper illustrates how a vulnerability scanner can be utilized for data collection in order to automatically create enterprise architecture models. We show how this approach can be realized by extending an earlier presented Enterprise Architecture tool. An example is provided through a case study applying the tool on a real network.

  • 3.
    Buschle, Markus
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Shahzad, Khurram
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A Tool for automatic Enterprise Architecture modeling2012Ingår i: IS Olympics: Information Systems in a Diverse World, Springer, 2012, s. 1-15Konferensbidrag (Refereegranskat)
    Abstract [en]

    Enterprise Architecture is an approach which aims to provide decision support based on organization-wide models. The creation of these models is however cumbersome as multiple aspects of an organization need to be considered. The Enterprise Architecture approach would be significantly less demanding if data used to create the models could be collected automatically. This paper illustrates how a vulnerability scanner can be utilized for data collection in order to automatically create Enterprise Architecture models, especially covering infrastructure aspects. We show how this approach can be realized by extending an earlier presented Enterprise Architecture tool. An example is provided through a case study applying the tool on a real network.

  • 4.
    Dennis, Andersson
    et al.
    Swedish Defense Research Agency.
    Granåsen, Magdalena
    Swedish Defense Research Agency.
    Sundmark, Thomas
    Swedish Defense Research Agency.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Hallberg, Jonas
    Swedish Defense Research Agency.
    Analysis of a Cyber Defense Exercise using Exploratory Sequential Data Analysis2011Konferensbidrag (Refereegranskat)
    Abstract [en]

    Baltic Cyber Shield 2010 (BCS), a multi-national civil-military cyber defense exercise (CDX), aimed to improve the capability of performing a CDX and investigate how IT attacks and defense of critical infrastructure can be studied. The exercise resulted in a massive dataset to be analyzed and many lessons learned in planning and executing a large-scale multi-national CDX. A reconstruction & exploration (R&E) approach was used to capture incidents such as attacks and defensive countermeasures during the exercise. This paper introduces the usage of R&E combined with exploratory sequential data analysis (ESDA) and discusses benefits and limitations of using these methods for analyzing multi-national cyber defense exercises.Using ESDA we were able to generate statistical data on attacks from BCS, such as number of reported attacks by the attackers and the defenders on different type of services. Initial results from these explorations will be analyzed and discussed.

  • 5.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A Framework and Calculation Engine for Modeling and Predicting the Cyber Security of Enterprise Architectures2014Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
    Abstract [sv]

    Informationsteknik (IT) är en grundsten i vårt moderna samhälle och grundläggande för staters hantering av samhällstjänster, ekonomisk tillväxt och nationell säkerhet. Det är därför av vikt att IT-system hålls i ett tillförlitligt och säkert tillstånd. Då moderna IT-system vanligen består av en mångfald av olika integrerade komponenter, inklusive människor och processer som nyttjar eller stödjer systemet (ofta benämnd organisationsövergripande arkitektur, eller enterprise architecture), är detta tyvärr ingen enkel uppgift. För att förvärra det hela så finns det även illvilliga aktörer som ämnar utnyttja sårbarheter i den organisationsövergripande arkitekturen för att utföra obehörig aktivitet inom den. Olika modeller har föreslagits av den akademiska världen och näringslivet för att identifiera samt behandla sårbarheter i organisationsövergripande arkitekturer, men det finns ännu ingen modell som är tillräckligt omfattande.

    Bidraget presenterat i denna avhandling är ett modelleringsramverk och en beräkningsmotor som kan användas som stöd av organisatoriska beslutsfattare med avseende på säkerhetsärenden. Sammanfattningsvis kan bidraget användas för att modellera och analysera sårbarheten av organisationsövergripande arkitekturer, samt ge förbättringsförslag baserat på dess uppskattningar. Bidraget har testats i fallstudier och validerats på både komponentnivå och systemnivå; resultaten från dessa studier visar att det är lämpligt för att stödja organisatoriskt beslutsfattande.

    Avhandlingen är en sammanläggningsavhandling med åtta artiklar. Artikel 1 beskriver en metod och ett dataset som kan användas för att validera avhandlingens bidrag och andra modeller likt detta. Artikel 2 presenterar vilka statistiska fördelningar som är bäst lämpade för att beskriva tiden som krävs för att kompromettera en dator. Artikel 3 beskriver uppskattningar av tiden som krävs för att upptäcka nya sårbarheter i webbapplikationer. Artikel 4 beskriver uppskattningar för möjligheten att kringgå webbapplikationsbrandväggar. Artikel 5 beskriver en studie av den tid som krävs för att en angripare skall kunna anskaffa kritiska sårbarheter och program för att utnyttja dessa för kompilerad programvara. Artikel 6 presenterar effektiviteten av sju vanligt nyttjade verktyg som används för att automatiskt identifiera sårbarheter i nätverk. Artikel 7 beskriver förmågan av det signatur-baserade intrångsdetekteringssystemet Snort att upptäcka attacker som är nyare, eller äldre, än dess regeluppsättning. Slutligen beskriver artikel 8 ett verktyg som kan användas för att uppskatta sårbarheten av organisationsövergripande arkitekturer; grunden för detta verktyg är de resultat som presenteras i artikel 1-7.

  • 6.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A Large-Scale Study of the Time Required To Compromise a Computer System2014Ingår i: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 11, nr 1, s. 6506084-Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    A frequent assumption in the domain of cybersecurity is that cyberintrusions follow the properties of a Poisson process, i.e., that the number of intrusions is well modeled by a Poisson distribution and that the time between intrusions is exponentially distributed. This paper studies this property by analyzing all cyberintrusions that have been detected across more than 260,000 computer systems over a period of almost three years. The results show that the assumption of a Poisson process model might be unoptimalâthe log-normal distribution is a significantly better fit in terms of modeling both the number of detected intrusions and the time between intrusions, and the Pareto distribution is a significantly better fit in terms of modeling the time to first intrusion. The paper also analyzes whether time to compromise (TTC) increase for each successful intrusion of a computer system. The results regarding this property suggest that time to compromise decrease along the number of intrusions of a system.

  • 7.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Baltic Cyber Shield: Research from a Red Team versus Blue Team Exercise2012Ingår i: PenTest Magazine, ISSN 2084-1116, Vol. 9, s. 80-86Artikel i tidskrift (Övrig (populärvetenskap, debatt, mm))
    Abstract [en]

    This article describes one of the few red team versus blue team exercises to date that focused on producing research, namely, the Baltic Cyber Shield (BCS). Various research have been conducted based on the data gathered during this exercise – this article describes two of these studies.

  • 8.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Performance of automated network vulnerability scanning at remediating security issues2012Ingår i: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 31, nr 2, s. 164-175Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    This paper evaluates how large portion of an enterprises network security holes that would be remediated if one would follow the remediation guidelines provided by seven automated network vulnerability scanners. Remediation performance was assessed for both authenticated and unauthenticated scans. The overall findings suggest that a vulnerability scanner is a usable security assessment tool, given that credentials are available for the systems in the network. However, there are issues with the method: manual effort is needed to reach complete accuracy and the remediation guidelines are oftentimes very cumbersome to study. Results also show that a scanner more accurate in terms of remediating vulnerabilities generally also is better at detecting vulnerabilities, but is in turn also more prone to false alarms. This is independent of whether the scanner is provided system credentials or not.

  • 9.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?2014Ingår i: 2014 47th Hawaii International Conference on System Sciences, HICSS, IEEE Computer Society, 2014, s. 4895-4904Konferensbidrag (Refereegranskat)
    Abstract [en]

    A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days’ to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days’ (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days’ aredetected, how prone the correspondingsignaturesare to false alarms,and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snortis 8.2%.

  • 10.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Buschle, Markus
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Lagerström, Robert
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Automatic data collection for enterprise architecture models2014Ingår i: Software and Systems Modeling, ISSN 1619-1366, E-ISSN 1619-1374, Vol. 13, nr 2, s. 825-841Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Enterprise Architecture (EA) is an approach used to provide decision support based on organization-wide models. The creation of such models is, however, cumbersome as multiple aspects of an organization need to be considered, making manual efforts time-consuming, and error prone. Thus, the EA approach would be significantly more promising if the data used when creating the models could be collected automatically-a topic not yet properly addressed by either academia or industry. This paper proposes network scanning for automatic data collection and uses an existing software tool for generating EA models (ArchiMate is employed as an example) based on the IT infrastructure of enterprises. While some manual effort is required to make the models fully useful to many practical scenarios (e.g., to detail the actual services provided by IT components), empirical results show that the methodology is accurate and (in its default state) require little effort to carry out.

  • 11.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A metamodel for web application injection attacks and countermeasures2012Ingår i: Trends in Enterprise Architecture Research and Practice-Driven Research on Enterprise Transformation: 7th Workshop, TEAR 2012, and 5th Working Conference, PRET 2012, Held at The Open Group Conference 2012, Barcelona, Spain, October 23-24, 2012. Proceedings / [ed] Stephan Aier, Mathias Ekstedt, Florian Matthes, Erik Proper, Jorge L. Sanz, Springer, 2012, s. 198-217Konferensbidrag (Refereegranskat)
    Abstract [en]

    Web application injection attacks such as cross site scripting and SQL injection are common and problematic for enterprises. In order to defend against them, practitioners with large heterogeneous system architectures and limited resources struggle to understand the effectiveness of different countermeasures under various conditions. This paper presents an enterprise architecture metamodel that can be used by enterprise decision makers when deciding between different countermeasures for web application injection attacks. The scope of the model is to provide low-effort guidance on an abstraction level of use for an enterprise decision maker. This metamodel is based on a literature review and revised according to the judgment by six domain experts identified through peer-review.

  • 12.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Estimates on the effectiveness of web application firewalls against targeted attacks2013Ingår i: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 21, nr 4, s. 250-265Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Purpose – The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.

    Design/methodology/approach – Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.

    Findings – The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.

    Research limitations/implications – The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.

    Practical implications – The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.

    Originality/value – WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.

  • 13.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Andersson, Dennis
    Swedish Defense Research Agency.
    Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks2012Ingår i: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 9, nr 6, s. 825-837Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored according to this method. As computer systems typically have multiple vulnerabilities, it is often desirable to aggregate the score of individual vulnerabilities to a system level. Several such metrics have been proposed, but their quality has not been studied. This paper presents a statistical analysis of how 18 security estimation metrics based on CVSS data correlate with the time-to-compromise of 34 successful attacks. The empirical data originates from an international cyber defense exercise involving over 100 participants and were collected by studying network traffic logs, attacker logs, observer logs, and network vulnerabilities. The results suggest that security modeling with CVSS data alone does not accurately portray the time-to-compromise of a system. However, results also show that metrics employing more CVSS data are more correlated with time-to-compromise. As a consequence, models that only use the weakest link (most severe vulnerability) to compose a metric are less promising than those that consider all vulnerabilities.

  • 14.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    Swedish Defense Research Agency.
    Effort estimates on web application vulnerability discovery2013Konferensbidrag (Refereegranskat)
    Abstract [en]

    Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer web application security training, (ii) type-safe API’s, (iii) black box testing tools, or (iv) static code analyzers. The judgments of 21 experts are collected and combined using Cooke’s classical method. The results show that 53 hours is enough to find a vulnerability with a certainty of 95% even though all measures have been employed during development. If no measure is employed 7 hours is enough to find a vulnerability with 95% certainty.

  • 15.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Korman, Matus
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A Manual for the Cyber Security Modeling Language2013Rapport (Övrigt vetenskapligt)
    Abstract [en]

    The Cyber Security Modeling Language (CySeMoL) is an attack graph toolthat can be used to estimate the cyber security of enterprise architectures. Cy-SeMoL includes theory on how attacks and defenses relate quantitatively; thus,users must only model their assets and how these are connected in order to enablecalculations. This report functions as a manual to facilitate practical usage andunderstanding of CySeMoL.

  • 16.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Korman, Matus
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A Bayesian Model for Likelihood Estimations of Acquirement of Critical Software Vulnerabilities and ExploitsManuskript (preprint) (Övrigt vetenskapligt)
  • 17.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Korman, Matus
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits2015Ingår i: Information and Software Technology, ISSN 0950-5849, E-ISSN 1873-6025, Vol. 58, s. 304-318Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Context: Software vulnerabilities in general, and software vulnerabilities with publicly available exploits in particular, are important to manage for both developers and users. This is however a difficult matter to address as time is limited and vulnerabilities are frequent. Objective: This paper presents a Bayesian network based model that can be used by enterprise decision makers to estimate the likelihood that a professional penetration tester is able to obtain knowledge of critical vulnerabilities and exploits for these vulnerabilities for software under different circumstances. Method: Data on the activities in the model are gathered from previous empirical studies, vulnerability databases and a survey with 58 individuals who all have been credited for the discovery of critical software vulnerabilities. Results: The proposed model describes 13 states related by 17 activities, and a total of 33 different datasets. Conclusion: Estimates by the model can be used to support decisions regarding what software to acquire, or what measures to invest in during software development projects.

  • 18.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Rocha Flores, Waldo
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ericsson, Göran
    Cyber Security for a Smart Grid: What About Phishing?2013Ingår i: 2013 4th IEEE/PES Innovative Smart Grid Technologies Europe, ISGT Europe 2013, IEEE , 2013, s. 6695407-Konferensbidrag (Refereegranskat)
    Abstract [en]

    Lack of awareness for cyber security threats is an important topic to address for the future smart grid. A particularly troubling issue is social engineering by email, or as it is more commonly depicted, phishing. This study analyzes important aspects of phishing using two unannounced experiments. The results show that applying more context specific information to an attack is not necessarily effective; users still get deceived but nobody reports of the occurrence of phishing. From an enterprise perspective, a phishing exercise rouse discussions on security awareness without significantly agitating participants.

  • 19.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Shahzad, Khurram
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Buschle, Markus
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language2015Ingår i: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 12, nr 6, s. 626-639Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    This paper presents the Predictive, Probabilistic Cyber Security Modeling Language ((PCySeMoL)-Cy-2), an attack graph tool that can be used to estimate the cyber security of enterprise architectures. (PCySeMoL)-Cy-2 includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. The performance of (PCySeMoL)-Cy-2 enables quick calculations of large object models. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.

  • 20.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Almroth, Jonas
    Swedish Research Defense Agency.
    Persson, Mats
    Swedish Research Defense Agency.
    A quantitative evaluation of vulnerability scanning2011Ingår i: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 19, nr 4, s. 231-247Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Purpose – The purpose of this paper is to evaluate if automated vulnerability scanning accurately identifies vulnerabilities in computer networks and if this accuracy is contingent on the platforms used.

    Design/methodology/approach – Both qualitative comparisons of functionality and quantitative comparisons of false positives and false negatives are made for seven different scanners. The quantitative assessment includes data from both authenticated and unauthenticated scans. Experiments were conducted on a computer network of 28 hosts with various operating systems, services and vulnerabilities. This network was set up by a team of security researchers and professionals.

    Findings – The data collected in this study show that authenticated vulnerability scanning is usable. However, automated scanning is not able to accurately identify all vulnerabilities present in computer networks. Also, scans of hosts running Windows are more accurate than scans of hosts running Linux.

    Research limitations/implications – This paper focuses on the direct output of automated scans with respect to the vulnerabilities they identify. Areas such as how to interpret the results assessed by each scanner (e.g. regarding remediation guidelines) or aggregating information about individual vulnerabilities into risk measures are out of scope.

    Practical implications – This paper describes how well automated vulnerability scanners perform when it comes to identifying security issues in a network. The findings suggest that a vulnerability scanner is a useable tool to have in your security toolbox given that user credentials are available for the hosts in your network. Manual effort is however needed to complement automated scanning in order to get satisfactory accuracy regarding network security problems.

    Originality/value – Previous studies have focused on the qualitative aspects on vulnerability assessment. This study presents a quantitative evaluation of seven of the most popular vulnerability scanners available on the market.

  • 21.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    CySeMoL: A tool for cyber security analysis of enterprises2013Ingår i: CIRED, 2013Konferensbidrag (Refereegranskat)
    Abstract [en]

    The Cyber Security ModellingLanguage (CySeMoL) is a tool for quantitative cyber security analyses of enterprise architectures. This paper describes the CySeMoL and illustrates its use through an example scenario involving cyber attacks against protection and control assets located inan electrical substation.

  • 22.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Vulnerability assessment of SCADA systems2011Rapport (Övrigt vetenskapligt)
  • 23.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Honeth, Nicholas
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Indicators of expert judgement and their significance: An empirical investigation in the area of cyber security2014Ingår i: Expert systems (Print), ISSN 0266-4720, E-ISSN 1468-0394, Vol. 3, nr 4, s. 299-318Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    In situations when data collection through observations is difficult to perform, the use of expert judgement can be justified. A challenge with this approach is, however, to value the credibility of different experts. A natural and state-of-the art approach is to weight the experts' judgements according to their calibration, that is, on the basis of how well their estimates of a studied event agree with actual observations of that event. However, when data collection through observations is difficult to perform, it is often also difficult to estimate the calibration of experts. As a consequence, variables thought to indicate calibration are generally used as a substitute of it in practice. This study evaluates the value of three such indicative variables: consensus, experience and self-proclamation. The significances of these variables are analysed in four surveys covering different domains in cyber security, involving a total of 271 subjects. Results show that consensus is a reasonable indicator of calibration. The mean Pearson correlation between these two variables across the four studies was 0.407. No significant correlations were found between calibration and experience or calibration and self-proclamation. However, as a side result, it was discovered that a subject that perceives itself as more knowledgeable than others likely also is more experienced.

  • 24.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Franke, Ulrik
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Expert assessment on the probability of successful remote code execution attacks2011Ingår i: Proceedings of 8th International Workshop on Security in Information Systems - WOSIS 2011, 2011, s. 49-58Konferensbidrag (Refereegranskat)
    Abstract [en]

    This paper describes a study on how cyber security experts assess the importance of three variables related to the probability of successful remote code execution attacks – presence of: (i) non-executable memory, (ii) access and (iii) exploits for High or Medium vulnerabilities as defined by the Common Vulnerability Scoring System. The rest of the relevant variables were fixed by the environment of a cyber defense exercise where the respondents participated. The questionnaire was fully completed by fifteen experts. These experts perceived access as the most important variable and availability of exploits for High vulnerabilities as more important than Medium vulnerabilities. Non-executable memory was not seen as significant, however, presumably due to lack of address space layout randomization and canaries in the network architecture of the cyber defense exercise scenario.

  • 25.
    Holm, Hannes
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Franke, Ulrik
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Success Rate of Remote Code Execution Attacks: Expert Assessments and Observations2012Ingår i: Journal of universal computer science (Online), ISSN 0948-695X, E-ISSN 0948-6968, Vol. 18, nr 6, s. 732-749Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    This paper describes a study on how cyber security experts assess the importance of three variables related to the probability of successful remote code execution attacks: (i) non-executable memory, (ii) access and (iii) exploits for High or Medium vulnerabilities as defined by the Common Vulnerability Scoring System. The rest of the relevant variables were fixed by the environment of a cyber defense exercise where the respondents participated. The questionnaire was fully completed by fifteen experts. These experts perceived access as the most important variable and availability of exploits for High vulnerabilities as more important than Medium vulnerabilities. Non-executable memory was not seen as significant. Estimates by the experts are compared to observations of actual attacks carried out during the cyber defense exercise. These comparisons show that experts' in general provide fairly inaccurate advice on an abstraction level such as in the present study. However, results also show a prediction model constructed through expert judgment likely is of better quality if the experts' estimates are weighted according to their expertise.

  • 26.
    Jensen, Martin
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sel, Cumhur
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Franke, Ulrik
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Nordström, Lars
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Availability of a SCADA/OMS/DMS system - A case study2010Ingår i: IEEE PES Innovative Smart Grid Technologies Conference Europe, ISGT Europe, Gothenburg, 2010Konferensbidrag (Refereegranskat)
    Abstract [en]

    With the advent of the smart grid, new challenges arise for electricity distribution. In particular, reliable power distribution will become evermore dependent upon information and communication technology (ICT). With this increasing dependency comes a need for a deeper understanding of the availability of those ICT components that maintain the power grid. This paper presents a study in which all components of a supervisory control and data acquisition (SCADA), Outage Management (OMS) and Distribution Management (DMS) system at a power utility are analyzed from an availability perspective, identifying the parts of the system that contribute the most to overall system downtime. Furthermore, the case study involves a downsizing regarding the IT system architecture redundancy. This downsizing makes it very interesting to investigate how hardware redundancy relates to the overall SCADA/OMS/DMS system availability. Such knowledge is required to assess the rationality of the architectural restructuring decision, as well as for more general rational decision making when it comes to the ICT components of the power distribution grid. It is concluded that even in the new architecture, the remaining hardware redundancy level is enough. Instead, it is found that most of the downtime of the SCADA/OMS/DMS system is caused by failing software, causing all the redundant hardware to become unavailable at the same time. Since the software is a third party piece from the supplier of the system, one important source of downtime can be seen as emanating from the requirements and procurement process of the company.

  • 27.
    Lagerström, Robert
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Marcks von Würtemberg, Liv
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Luczak, Oscar
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Identifying Factors Affecting Software Development Cost2010Ingår i: Proc. of the Fourth International Workshop on Software Quality and Maintainability (SQM), 2010Konferensbidrag (Refereegranskat)
    Abstract [en]

    Software systems of today are often complex, making development costs difficult to estimate. This paper uses data from 50 projects performed at one of the largest banks in Sweden to identify factors that have an impact on software development cost. Correlation analysis of the relationship between factor states and project costs were assessed using ANOVA and regression analysis. Ten out of the original 32 factors turned out to have an impact on software development project cost at the Swedish bank, including the number of function points and involved risk. Some of the factors found to have an impact on cost are already included in estimation models such as COCOMO II and SEER-SEM, for instance function points and software platform. Thus, this paper validates these well-known factors for cost estimation. However, several of the factors found in this study are not included in established models for software development cost estimation. Thus, this paper also provides indications for possible extensions of these models.

  • 28.
    Lagerström, Robert
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    von Würtemberg, Liv Marcks
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Luczak, Oscar
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Identifying factors affecting software development cost and productivity2012Ingår i: Software Quality Journal, ISSN 0963-9314, Vol. 20, nr 2, s. 395-417Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Software systems of today are often complex, making development costs difficult to estimate. This paper uses data from 50 projects performed at one of the largest banks in Sweden to identify factors that have an impact on software development cost. Correlation analysis of the relationship between factor states and project costs was assessed using ANOVA and regression analysis. Ten out of the original 31 factors turned out to have an impact on software development project cost at the Swedish bank including the: number of function points, involved risk, number of budget revisions, primary platform, project priority, commissioning body's unit, commissioning body, number of project participants, project duration, and number of consultants. In order to be able to compare projects of different size and complexity, this study also considers the software development productivity defined as the amount of function points per working hour in a project. The study at the bank indicates that the productivity is affected by factors such as performance of estimation and prognosis efforts, project type, number of budget revisions, existence of testing conductor, presentation interface, and number of project participants. A discussion addressing how the productivity factors relate to cost estimation models and their factors is presented. Some of the factors found to have an impact on cost are already included in estimation models such as COCOMO II, TEAMATe, and SEER-SEM, for instance function points and software platform. Thus, this paper validates these well-known factors for cost estimation. However, several of the factors found in this study are not included in established models for software development cost estimation. Thus, this paper also provides indications for possible extensions of these models.

  • 29.
    Närman, Per
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Honeth, Nicholas
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Using enterprise architecture analysis and interview data to estimate service response time2013Ingår i: Journal of strategic information systems, ISSN 0963-8687, E-ISSN 1873-1198, Vol. 22, nr 1, s. 70-85Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Insights into service response time is important for service-oriented architectures and service management. However, directly measuring the service response time is not always feasible or can be very costly. This paper extends an analytical modeling method which uses enterprise architecture modeling to support the analysis. The extensions consist of (i) a formalization using the Hybrid Probabilistic Relational Model formalism, (ii) an implementation in an analysis tool for enterprise architecture and (iii) a data collection approach using expert assessments collected via interviews and questionnaires. The accuracy and cost effectiveness of the method was tested empirically by comparing it with direct performance measurements of five services of a geographical information system at a Swedish utility company. The tests indicate that the proposed method can be a viable option for rapid service response time estimates when a moderate accuracy within 15% is sufficient.

  • 30.
    Närman, Per
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Höök, David
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Honeth, Nicholas
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Johnson, Pontus
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Using enterprise architecture and technology adoption models to predict application usage2012Ingår i: Journal of Systems and Software, ISSN 0164-1212, E-ISSN 1873-1228, Vol. 85, nr 8, s. 1953-1967Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Application usage is an important parameter to consider in application portfolio management. This paper presents an enterprise architecture analysis framework which can be used to assess application usage. The framework, in the form of an architecture metamodel, incorporates variables from the previously published Technology Acceptance Model (TAM) and the Task-Technology Fit (TTF) model. The paper describes how the metamodel has been tailored for a specific domain, viz, industry maintenance management. The metamodel was tested in the maintenance management domain through a survey with 55 respondents at five companies. Data collected in the survey showed that the domain-specific metamodel is able to explain variations in maintenance management application usage. Integrating the TAM and TTF variables with an architecture metamodel allows architects to reuse research results smoothly, thereby aiding them in producing good application portfolio decision-support.

  • 31.
    Närman, Per
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Johnson, Pontus
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    König, Johan
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Chenine, Moustafa
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Data accuracy assessment using enterprise architecture2011Ingår i: Enterprise Information Systems, ISSN 1751-7575, E-ISSN 1751-7583, Vol. 5, nr 1, s. 37-58Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Errors in business processes result in poor data accuracy. This article proposes an architecture analysis method which utilises ArchiMate and the Probabilistic Relational Model formalism to model and analyse data accuracy. Since the resources available for architecture analysis are usually quite scarce, the method advocates interviews as the primary data collection technique. A case study demonstrates that the method yields correct data accuracy estimates and is more resource-efficient than a competing sampling-based data accuracy estimation method.

  • 32.
    Rocha Flores, Waldo
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Svensson, Gustav
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ericsson, Göran
    Svenska Kraftnät, Swedish National Grid.
    Using Phishing Experiments and Scenario-based Surveys to Understand Security Behaviours in Practice2013Ingår i: Proceedings of the European Information Security Multi-Conference: (EISMC 2013), 2013, s. 79-90Konferensbidrag (Refereegranskat)
    Abstract [en]

    Threats from social engineering can cause organisations severe damage if they are not considered and managed. In order to understand how to manage those threats, it is important to examine reasons why organisational employees fall victim to social engineering. In this paper, the objective is to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator. In order to attain this objective, we collect data through a scenario-based survey and conduct phishing experiments in three organisations. The results from the experiment reveal that the degree of target information in an attack increases the likelihood that an organisational employee fall victim to an actual attack. Further, an individual’s trust and risk behaviour significantly affects the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), has a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the performance in the scenario-based survey and experiment was found. We argue that the result does not imply that one or the other method should be ruled out as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security. Discussions of the findings, implications and recommendations for future research are further provided.

  • 33.
    Rocha Flores, Waldo
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Svensson, Gustav
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ericsson, Göran
    Swedish national grid.
    Using phishing experiments and scenario-based surveys to understand security behaviours in practice2014Ingår i: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 22, nr 4, s. 393-406Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Purpose - The purpose of the study was threefold: to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator; to investigate if adding information about the victim to an attack increases the probability of the attack being successful; and, finally, to investigate if there is a correlation between self-reported and observed behaviour.

    Design/methodology/approach - Factors for investigation were identified based on a review of existing literature. Data were collected through a scenario-based survey, phishing experiments, journals and follow-up interviews in three organisations.

    Findings - The results from the experiment revealed that the degree of target information in an attack increased the likelihood that an organisational employee falls victim to an actual attack. Further, an individual's trust and risk behaviour significantly affected the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), had a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the results from the scenario-based survey and the experiments was found.

    Research limitations/implications - One limitation is that the scenario-based survey may have been interpreted differently by the participants. Another is that controlling how the participants reacted when receiving the phishing mail, and what actually triggered each and every participant to click on the attached link, was not possible. Data were however collected to capture these aspects during and after the experiments. In conclusion, the results do not imply that one or the other method should be ruled out, as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security.

    Originality/value - Two different methods to collect data to understand security behaviours have rarely been used in previous research. Studies that add target information to understand if such information could increase the probability of attack success is sparse. This paper includes both approaches.

  • 34.
    Rocha Flores, Waldo
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Assessing Future Value of Investments in Security-Related IT Governance Control Objectives: Surveying IT Professionals2011Konferensbidrag (Refereegranskat)
    Abstract [en]

    Optimizing investments in IT governance towards a better information security is an understudied topic in the academic literature. Further, collecting empirical evidence by surveying IT professionals on their relative opinion in this matter has not yet been explored to its full potential. This paper has tried to somewhat overcome this gap by surveying IT professionals on the expected future value from investments in security-related IT governance control objectives. The paper has further investigated if there are any control objectives that provide more value than others and are therefore more beneficial to invest in. The Net Present Value (NPV) technique has been used to assess the IT professional’s relative opinion on the generated future value of investments in 19 control objectives. The empirical data was collected through a survey distributed to professionals from the IT security, governance and/or assurance domain and analyzed using standard statistical tools. The results indicate that the vast majority of investments in control objectives is expected to yield a positive NPV, and are beneficial to an organization. This result implies that investments in control objectives are expected to generate future value for a firm, which is an important finding since many of the benefits from an investment are indirectly related and may occur well into the future. The paper moreover contributes in strengthening the link between IT governance and information security.

  • 35.
    Rocha Flores, Waldo
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Sommestad, Teodor
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Assessing Future Value of Investments in Security-Related IT Governance Control Objectives: Surveying IT Professionals2011Ingår i: Electronic Journal of Information Systems Evaluation, ISSN 1566-6379, E-ISSN 1566-6379, Vol. 14, nr 2, s. 216-227Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Optimizing investments in IT governance towards a better information security is an understudied topic in the academic literature. Further, collecting empirical evidence by surveying IT professionals on their relative opinion in this matter has not yet been explored to its full potential. This paper has tried to somewhat overcome this gap by surveying IT professionals on the expected future value from investments in security‑related IT governance control objectives. The paper has further investigated if there are any control objectives that provide more value than others and are therefore more beneficial to invest in. The Net Present Value (NPV) technique has been used to assess the IT professional’s relative opinion on the generated future value of investments in 19 control objectives. The empirical data was collected through a survey distributed to professionals from the IT security, governance and/or assurance domain and analyzed using standard statistical tools. The results indicate that the vast majority of investments in control objectives is expected to yield a positive NPV, and are beneficial to an organization. This result implies that investments in control objectives are expected to generate future value for a firm, which is an important finding since many of the benefits from an investment are indirectly related and may occur well into the future. The paper moreover contributes in strengthening the link between IT governance and information security.

  • 36.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures2013Ingår i: IEEE Systems Journal, ISSN 1932-8184, E-ISSN 1937-9234, Vol. 7, nr 3, s. 363-373Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    The cyber security modeling language (CySeMoL) is a modeling language for enterprise-level system architectures coupled to a probabilistic inference engine. If the computer systems of an enterprise are modeled with CySeMoL, this inference engine can assess the probability that attacks on the systems will succeed. The theory used for the attack-probability calculations in CySeMoL is a compilation of research results on a number of security domains and covers a range of attacks and countermeasures. The theory has previously been validated on a component level. In this paper, the theory is also validated on a system level. A test indicates that the reasonableness and correctness of CySeMoL assessments compare with the reasonableness and correctness of the assessments of a security professional. CySeMoL's utility has been tested in case studies.

  • 37.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Afzal, Muhammad
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Security mistakes in information system deployment projects2011Ingår i: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 19, nr 2, s. 80-94Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Purpose - This paper aims to assess the influence of a set of human and organizational factors in information system deployments on the probability that a number of security-related mistakes are in the deployment. Design/methodology/approach - A Bayesian network (BN) is created and analyzed over the relationship between mistakes and causes. The BN is created by eliciting qualitative and quantitative data from experts of industrial control system deployments in the critical infrastructure domain. Findings - The data collected in this study show that domain experts have a shared perception of how strong the influence of human and organizational factors are. According to domain experts, this influence is strong. This study also finds that security flaws are common in industrial control systems operating critical infrastructure. Research limitations/implications - The model presented in this study is created with the help of a number of domain experts. While they agree on qualitative structure and quantitative parameters, future work should assure that their opinion is generally accurate. Practical implications - The influence of a set of important variables related to organizational/human aspects on information security flaws is presented. Social implications - The context of this study is deployments of systems that operate nations' critical infrastructure. The findings suggest that initiatives to secure such infrastructures should not be purely technical. Originality/value - Previous studies have focused on either the causes of security flaws or the actual flaws that can exist in installed information systems. However, little research has been spent on the relationship between them. The model presented in this paper quantifies such relationships.

  • 38.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Effort estimates for vulnerability discovery projects2012Ingår i: Proceedings of the 45th Hawaii International Conference on System Sciences, 2012, s. 5564-5573Konferensbidrag (Refereegranskat)
    Abstract [en]

    Security vulnerabilities continue to be an issue in the software field and new severe vulnerabilities are discovered in software products each month. This paper analyzes estimates from domain experts on the amount of effort required for a penetration tester to find a zero-day vulnerability in a software product. Estimates are developed using Cooke's classical method for 16 types of vulnerability discovery projects – each corresponding to a configuration of four security measures. The estimates indicate that, regardless of project type, two weeks of testing are enough to discover a software vulnerability of high severity with fifty percent chance. In some project types an eight-to-five-week is enough to find a zero-day vulnerability with 95 percent probability. While all studied measures increase the effort required for the penetration tester none of them have a striking impact on the effort required to find a vulnerability.

  • 39.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Estimates of Success Rates of Denial-of-Service Attacks2011Ingår i: 2011 IEEE 10th International Conference: Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE conference proceedings, 2011, s. 21-28Konferensbidrag (Refereegranskat)
    Abstract [en]

    Denial-of-service (DoS) attacks are an imminent and real threat to many enterprises. Decision makers in these enterprises need be able to assess the risk associated with such attacks and to make decisions regarding measures to put in place to increase the security posture of their systems. Experiments, simulations and analytical research have produced data related to DoS attacks. However, these results have been produced for different environments and are difficult to interpret, compare, and aggregate for the purpose of decision making. This paper aims to summarize knowledge available in the field by synthesizing the judgment of 23 domain experts using an establishing method for expert judgment analysis. Different system architecture's vulnerability to DoS attacks are assessed together with the impact of a number of countermeasures against DoS attacks.

  • 40.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Estimates of success rates of remote arbitrary code execution attacks2012Ingår i: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 20, nr 2, s. 107-122Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    Purpose: The purpose of this paper is to identify the importance of the factors that influence the success rate of remote arbitrary code execution attacks. In other words, attacks which use software vulnerabilities to execute the attacker's own code on targeted machines. Both attacks against servers and attacks against clients are studied. Design/methodology/approach: The success rates of attacks are assessed for 24 scenarios: 16 scenarios for server-side attacks and eight for client-side attacks. The assessment is made through domain experts and is synthesized using Cooke's classical method, an established method for weighting experts' judgments. The variables included in the study were selected based on the literature, a pilot study, and interviews with domain experts. Findings: Depending on the scenario in question, the expected success rate varies between 15 and 67 percent for server-side attacks and between 43 and 67 percent for client-side attacks. Based on these scenarios, the influence of different protective measures is identified. Practical implications: The results of this study offer guidance to decision makers on how to best secure their assets against remote code execution attacks. These results also indicate the overall risk posed by this type of attack. Originality/value: Attacks that use software vulnerabilities to execute code on targeted machines are common and pose a serious risk to most enterprises. However, there are no quantitative data on how difficult such attacks are to execute or on how effective security measures are against them. The paper provides such data using a structured technique to combine expert judgments.

  • 41.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Threats and vulnerabilities, final report2011Rapport (Övrigt vetenskapligt)
  • 42.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Honeth, Nicholas
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Quantifying the effectiveness of intrusion detection systems in operation through domain expertsArtikel i tidskrift (Övrigt vetenskapligt)
    Abstract [en]

    An intrusion detection system is a security measure that can help system administrators in enterprise environments to detect attacks made against networks and their hosts. Evaluating the effectiveness of IDSs by experiments or observations is however difficult and costly. This paper describes the result of a study where 165 domain experts in the intrusion detection field estimated the effectiveness of 24 different scenarios pertaining to detection of remote arbitrary code exploits.

  • 43.
    Sommestad, Teodor
    et al.
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Holm, Hannes
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Ekstedt, Mathias
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Honeth, Nicholas
    KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
    Quantifying the Effectivenness of Intrusion Detection Systems in Operation through Domain Experts2014Ingår i: Journal of Information System Security, ISSN 1551-0123, E-ISSN 1551-0808, Vol. 10, nr 2, s. 3-35Artikel i tidskrift (Refereegranskat)
    Abstract [en]

    An intrusion detection system (IDS) is a security measure that can help system administrators in enterprise environments detect attacks made against computer networks. In order to be a good enterprise security measure, the IDS solution should be effective when it comes to making system operators aware of on-going cyber-attacks. However, it is difficult and costly to evaluate the effectiveness of IDSs by experiments or observations. This paper describes the result of an alternative approach to studying this topic. The effectiveness of 24 different IDS solution scenarios pertaining to remote arbitrary code exploits is evaluated by 165 domain experts. The respondents’ answers were then combined according to Cooke’s classical method, in which respondents are weighted based on how well they perform on a set of test questions. Results show that the single most important factor is whether either a host-based IDS, or a network-based IDS is in place. Assuming that either one or the other is in place, the most important course of action is to tune the IDS to its environment. The results also show that an updated signature database influences the effectiveness of the IDS less than if the vulnerability that is being exploited is well-known and is possible to patch or not.

1 - 43 av 43
RefereraExporteraLänk till träfflistan
Permanent länk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf