Page 31 - 2020
P. 31

exploit code availability, technical knowledge about the vulnerability in the hacker world
          etc.  The  use  of  vulnerability  disclosure  using  patch  availability  as  the  only  factor  for
          bifurcation  of  vulnerabilities  in  attack  ranking  requires  improvement  and  this  lacuna  is
          addressed in our proposed model

          In the Second study Author (Chatzipoulidis, 2015) in the thesis “Enterprise management
          and software risk prediction based on security metrics” provided the method to predict
          zero day vulnerability. The thesis also offers qualitative risk calculation method for three
          security  property  viz.  confidentiality,  integrity,  and  availability.  The  qualitative  risk
          assessment has certain disadvantages like it will not provide a clear picture of risk and
          damage due to risk since achieved results have general character and approximations.
          The proposed model overcomes this gap by conducting a quantitative risk assessment
          and generated results are a numeric and exact representation of risk value.

          Security  audits  have  been  conducted  for  Government  websites  and  e-Governance
          applications before the initial hosting of the application and after each major updates in
          the applications. The application still remains vulnerable to attacks if the hosting platform
          i.e. Operating System (OS) and Web Server is not secure against the known attacks and
          zero  day  vulnerabilities.  It  is  essential  to  conduct  a  periodic  risk  assessment  of  the
          hosting  environment  apart  from  routine  hardening  and  patch  management  for  the
          platform. In this context a platform centric risk assessment model has been proposed
          with three main components 1) Attack and Weakness ranking 2) “Zero-Day” Vulnerability
          and risk prediction 3) Risk assessment in local IT context.

          The proposed model is useful for conducting a risk assessment, zero day vulnerability
          prediction  and  ranking  attacks,  weakness  related  to  the  particular  e-Governance
          application platform. In addition model also provides holistic risk assessment coverage
          by including hosting environment with the application for the purpose of risk assessment.
          The  study  offers  the  new  approach  for  platform  centric  risk  assessment  for  the  e-
          Governance  application  and  it  will  be  particularly  useful  for  security  auditors,  security
          professionals and system administrators.
          Key words: Information Security, Risk Assessment, Security Metrics, e-Governance















                                                                                             12
   26   27   28   29   30   31   32   33   34   35   36