Page 30 - 2020
P. 30

Ph.D.
                                                                                  (Computer Application)
          AN E-GOVERNANCE INFORMATION SECURITY
          RISK MODEL USING SECURITY METRICS

          Ph.D. Scholar : Pandya Devenkumar Chandravadan
          Research Supervisor : Dr. N. J. Patel



                                                                                Regi. No.: 14146041001
          Abstract :
          Information security is a very crucial aspect of e-Governance projects. The e-Governance
          project will not be succeed without appropriate Information Security arrangements since
          breach in security means loss of trust and goodwill. Apart from this it is responsibility of
          the Government to protect citizen’s data and privacy. The appropriate risk assessment is
          very  necessary  for  e-Governance  projects.  Many  researchers  applied  various  soft
          computing  techniques  for  risk  assessment.  The  literature  review  also  revealed  use  of
          security metrics for the security risk assessment. Metrics are important tools for decision
          making. It ensures quality during the collection, analysis, and reporting of relevant data
          for better performance.

          National  Institute  of  Standards  and  Technology  (NIST)  has  developed  the  Security
          Content Automation Program (SCAP) based security metrics to support data-driven risk
          assessment.  SCAP  is  a  collection  of  specifications  intended  to  standardize  the  way
          security  software  solutions  communicate  software  security  flaw  and  configuration
          information. Many authors utilized SCAP based automated security metrics like Common
          Vulnerability  and  Exposure(CVE),  Common  Weakness  Enumeration(CWE),  Common
          Vulnerability    Scoring      System(CVSS),       Common        Weakness       Scoring
          System(CWSS),Common  Weakness  Risk  Assessment  Framework(CWRAF),  Common
          Attack Pattern Enumeration and  Classification(CAPEC) etc. for effective risk evaluation,
          risk, threat, attack, and vulnerability analysis and modelling.

          In  this  study,  two  such  studies  related  to  risk  assessment,  zero-day  vulnerability
          prediction  and  attack  prioritization  based  on  security  metrics  were  identified  for  the
          detailed  study  and  a  new  model  based  on  these  studies  have  been  proposed  after
          incorporating new approach and parameters.

          In  the  first  study  Authors  (Wang,  Wang,  Guo,  Zhou,  &  Camargo,  2010)  proposed  an
          algorithm for attack ranking in their paper “Attack ranking based on vulnerability analysis”.
          Authors utilized CVE, CVSS, CWE, and CAPEC security metrics for attack ranking. In this
          study, according to the authors, vulnerabilities revealed in recent times cause more risk
          as patches for the vulnerability is not available immediately. In an actual attack scenario
          risk  does  not  only  depend  on  patch  availability  but  also  depend  on  other  factors  like

                                                                                             11
   25   26   27   28   29   30   31   32   33   34   35