資訊安全弱點管理之決策方法

Chien-Cheng Huang; 黃健誠

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/16930

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	林永松
dc.contributor.author	Chien-Cheng Huang	en
dc.contributor.author	黃健誠	zh_TW
dc.date.accessioned	2021-06-07T23:50:06Z	-
dc.date.copyright	2014-02-26
dc.date.issued	2014
dc.date.submitted	2014-02-10
dc.identifier.citation	Alhazmi, O.H., Malaiya, Y.K., 2008. Application of vulnerability discovery models to major operating systems. IEEE Transactions on Reliability 57 (1), 14-22. Alhazmi, O.H., Malaiya, Y.K., Ray, I., 2007. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security 26 (3), 219-228. Anderson, R., Moore, T., 2006. The economics of information security. Science 314 (5799), 610-613. Andrew, C., 2005. The five Ps of patch management: is there a simple way for businesses to develop and deploy an advanced security patch management strategy? Computers & Security 24 (5), 362–363. Arbaugh, W.A., Fithen,W.L., McHugh, J., 2000. Windows of vulnerability: a case study analysis. Computer 33 (12), 52-59. Arora, A., Caulkins, J.P., Telang, R., 2006. Research note-sell first, fix later: impact of patching on software quality. Management Science 52 (3), 465-471. Arora, A., Krishnan, R., Telang, R., Yang, Y., 2010. An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure. Information System Research 21 (1), 115-132. Arora, A., Telang, R., 2005. Economics of software vulnerability disclosure. IEEE Security & Privacy 3 (1), 20-25. Arora, A., Telang, R., Xu, H., 2008. Optimal policy for software vulnerability disclosure. Management Science 54 (4), 642-656. August, T., Tunca, T.I., 2006. Network software security and user incentives. Management Science 52 (11), 1703-1720. August, T., and Tunca, T.I., 2008. Let the pirates patch? an economic analysis of software security patch restrictions. Information Systems Research 19 (1), 48-70. Austin, R.D., Darby, C.A.R., 2003. The myth of secure computing. Harvard Business Review 81 (6), 120-126. Beres, Y., Griffin, J., Shiu, S., Heitman, M., Markle, D., Ventura, P., 2008. Analysing the performance of security solutions to reduce vulnerability exposure window. Proceedings of the 24th Annual Computer Security Applications Conference, pp. 33-42. Beres, Y., Griffin, J., 2012. Optimizing network patching policy decisions. Gritzalis, D., Furnell, S., and Theoharidou, M. (Eds.), Information Security and Privacy Research, Springer Berlin Heidelberg, IFIP Advances in Information and Communication Technology 376, 424-442. Bortolan, G., Degani, R., 1985. A review of some methods for ranking fuzzy subsets. Fuzzy Sets and Systems 15 (1), 1-19. Brykczynski, B., Small, R.A., 2003. Reducing internet-based intrusions: effective security patch management. IEEE Software 20 (1), 50-57. Buckley, J.J., 1985a. Ranking alternatives using fuzzy numbers. Fuzzy Sets and Systems 15 (1), 21-31. Buckley, J.J., 1985b. Fuzzy hierarchical analysis. Fuzzy Sets and Systems 17 (3), 233-247. Buckley, J.J., 2004. Fuzzy Statistics. First edition, Springer, Birmingham, AL, USA. Carr, N.G., 2003. IT doesn’t matter. Harvard Business Review 81 (5), 41-49. Cavusoglu, H., Cavusoglu, H., Raghunathan, S., 2007. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering 33 (3), 171-185. Cavusoglu, H., Cavusoglu, H., Zhang, J., 2008. Security patch management: share the burden or share the damage. Management Science 54 (4), 657-670. Cavusoglu, H., Mishra, B., Raghunathan, S., 2004. The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9 (1), 69-104. Chen, S.J., Hwang, C.L., 1992. Fuzzy Multiple Attribute Decision Making: Methods and Applications – A State-of-the-art Survey. Springer-Verlag, New York, NY, USA, pp. 465-486. Chen, T.Y., Wang, J.C., 2001. Identification of λ-fuzzy measures using sampling design and genetic algorithms. Fuzzy Sets and Systems 123 (3), 321-341. Choquet, G., 1953. Theory of capacities. Annales de l'institut Fourier 5, 131-295. Crampton, J., 2011. Practical and efficient cryptographic enforcement of interval-based access control policies. ACM Transactions on Information and System Security 14 (1), Article no. 14. Delgado, M., Verdegay, J.L., Vila, M.A., 1988. A Procedure for Ranking Fuzzy Numbers Using Fuzzy Relations. Fuzzy Sets and Systems 26 (1), 49-62. Farash, M.S., Bayat, M., Attari, M.A., 2011. Vulnerability of two multiple-key agreement protocols. Computers & Electrical Engineering 37 (2), 199-204. Fisher, M.L., 1981. The Lagrangean relaxation method for solving integer programming problems. Management Science 27 (1), 1-18. Fisher, M.L., 1985. An applications oriented guide to Lagrangean relaxation. Interfaces 15 (2), 10-21. Forcht, K.A., 1994. Computer Security Management. Boyd & Fraser, Danvers, MA, USA. Geoffrion, A.M., 1974, Lagrangean relaxation and its use in integer programming. Mathematical Programming Study 2, 82-114. Gerace, T., Cavusoglu, H., 2009. The critical elements of the patch management process. Communications of the ACM 52 (8), 117-121. Goel, S., Shawky, H.A., 2009. Estimating the market impact of security breach announcements on firm values. Information & Management 46 (7), 404-410. Gordon, L.A., Loeb, M.P., 2002. The economics of information security investment. ACM Transactions on Information and System Security 5 (4), 438-457. Gordon, L.A., Loeb, M.P., Sohail, T., 2010. Market value of voluntary disclosures concerning information security. MIS Quarterly 34 (3), 567-594. Gupta, M., Rees, J., Chaturvedi, A., Chi, J., 2006. Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decision Support Systems 41 (3), 592-603. Hellendoorn, H., Thomas, C., 1995. On quality defuzzification – theory and an application example. Bien, Z. and Min K.C. (Eds.), Fuzzy Logic and Its Applications to Engineering, Information Sciences, and Intelligent Systems 16, 167-176, 1995. Houmb, S.H., Franqueira, V.N.L., Engum E.A., 2010. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software 83 (9), 1622-1634. Hovav, A., D’Arcy, J., 2003. The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6 (2), 97-121. Ioannidis, C., Pym, D., Williams, J., 2012. Information security trade-offs and optimal patching policies. European Journal of Operational Research 216 (2), 434-444. Ishikawa, A., Amagasa, M., Shiga, T., Tomizawa, G., Tatsuta, R., Mieno, H., 1993. The max–min Delphi method and fuzzy Delphi method via fuzzy integration. Fuzzy Sets and Systems, 55 (3), 241-253. Johnson, C., 2007. Implementation of commonly accepted security configurations for windows operating systems. OMB (Office of Management and Budget) Memo M-07-11. Kannan, K., Telang, R., 2005. Market for software vulnerabilities? think again. Management Science 51 (5), 726-740. Kaufmann, A., Gupta, M.M., 1988. Fuzzy Mathematical Models in Engineering and Management Science. Elsevier, New York, NY, USA. Lai, Y.P., Hsia, P.L., 2007. Using the vulnerability information of computer systems to improve the network security. Computer Communications 30 (9), 2032-2047. Lee, K.M., Leekwang, H., 1995. Identification of λ-fuzzy measure by genetic algorithms. Fuzzy Sets and Systems 75 (3), 301-309. Lesk, M., 2011. Cybersecurity and economics. IEEE Security & Privacy 9 (6), 76-79. Likert, R., 1932. A technique for the measurement of attitudes. Archives of Psychology 22 (140), 1-55. Liu, P., Zang, W., Yu, M., 2005. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security 8 (1), 78-118. Liu, Q., Zhang, Y., 2011. VRSS: a new system for rating and scoring vulnerabilities. Computer Communications 34 (3), 264-273. Liu, Q., Zhang, Y., Kong, Y., Wu, Q., 2012. Improving VRSS-based vulnerability prioritization using analytic hierarchy process. Journal of Systems and Software 85 (8), 1699-1708. Martin, J., 1973. Security, Accuracy, and Privacy in Computer Systems. Prentice Hall, Upper Saddle River, NJ, USA. Martin, R.A., 2008. Making security measurable and manageable. In: Proceedings of the 2008 IEEE Military Communications Conference. Mell, P., Scarfone, K., Romanosky, S., 2006. Common vulnerability scoring system. IEEE Security & Privacy 4 (6), 85-89. Mell, P., Scarfone, K., 2007. Improving the common vulnerability scoring system. IET Information Security 1 (3), 119-127. Mell, P., Scarfone, K., Romanosky, S., 2007. A complete guide to the common vulnerability scoring system (CVSS), Version 2.0. Forum of Incident Response and Security Teams (FIRST). Microsoft, 2010. Statement of health for network access protection (NAP) protocol specification. Microsoft Corporation. Milian, M., 2011. Sony: hacker stole PlayStation users’ personal info. Cable News Network (CNN), April 26, 2011. MITRE, 2010a. Common vulnerabilities and exposures (CVE). MITRE, 2010b, Common weakness enumeration (CWE). Mookerjee, V., Mookerjee, R., Bensoussan, A., 2011. When hackers talk: managing information security under variable attack rates and knowledge dissemination. Information Systems Research 22 (3), 606-623. Murofushi, T., Sugeno, M., 1989. An interpretation of fuzzy measures and the Choquet integral as an integral with respect to a fuzzy measure. Fuzzy Sets and Systems 29 (2), 201-227. NIST, 2009. Recommended security controls for federal information systems and organizations. NIST Special Publication 800-53 Revision 3. NIST, 2010a. National vulnerability database (NVD), Version 2.2. NIST, 2010b. National checklist program repository. NIST, 2010c. Federal desktop core configuration (FDCC). OWASP, 2010. OWASP top 10-2010. The ten most critical web application security risk. Parker, D.B., 1981. Computer Security Management. Prentice Hall, Reston, VA, USA. Patton, R., 2005. Software Testing. Second edition, Sams, Indianapolis, IN, USA. Pavlou, P.A., Liang, H., Xue, Y., 2007. Understanding and mitigating uncertainty in online exchange relationships: a principal-agent perspective. MIS Quarterly 31 (1), 105-136. Quinn, S.D., Souppaya, M., Cook, M., Scarfone, K., 2011. National checklist program for IT products - guidelines for checklist users and developers. NIST Special Publication 800-70 Revision 2. Rahimi, S., Zargham, M., 2013. Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database. IEEE Transactions on Reliability 62 (2), 395-407. Ramakrishnan, C.R., Sekar, R., 2002. Model based analysis of configuration vulnerabilities. Journal of Computer Security 10 (1-2), 189-209. Ransbotham, S., Mitra, S., Ramsey, J., 2012. Are markets for vulnerabilities effective? MIS Quarterly 36 (1), 43-64. Rescorla, E., 2005. Is finding security holes a good idea? IEEE Security & Privacy 3 (1), 14-19. Rogers, R.W., 1975. A protection motivation theory of fear appeals and attitude change. Journal of Psychology 91, 93-114. Rogers, R.W., 1983. Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation. Social Psychophysiology, 153-176. Ryu, Y.U., Rhee, H., 2008. Evaluation of intrusion detection systems under a resource constraint. ACM Transactions on Information and System Security 11 (4), Article no. 20. Saaty, T.L., 1980. The Analytic Hierarchical Process. MicGraw-Hill, New York, NY, USA. SANS Institute, 2009. Top cyber security risks - vulnerability exploitation trends. Scarfone, K., Mell, P., 2009. An analysis of CVSS version 2 vulnerability scoring. In: Proceedings of the Third International Symposium on Empirical Software Engineering and Measurement, pp. 516-525. Shahriari, H.R., Makarem, M.S., Sirjani, M., Jalili, R., Movaghar, A., 2010. Vulnerability analysis of networks to detect multiphase attacks using the actor-based language Rebeca. Computers & Electrical Engineering 36 (5), 874-885. Stiemerling, M., Quittek, J., Eggert, L., 2008. NAT and firewall traversal issues of host identity protocol (HIP) communication. RFC (Request for Comments) 5207, IETF (The Internet Engineering Task Force). Straub, D.W., 1990. Effective IS security: an empirical study. Information Systems Research 1 (3), 255-276. Straub, D.W., Welke, R.J., 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441-469. Sugeno, M., Terano, T., 1977. A model of learning based on fuzzy information. Kybernetes 6 (3), 157-166. Takeda, E., 1995. Fuzzy Evaluation. in: Asai, K. (Ed.), Fuzzy Systems for Management, First edition, IOS Press, Amsterdam, Netherlands, pp. 43-55. Telang, R., Wattal, S., 2007. An empirical analysis of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering 33 (8), 544-557. Teng, J.Y., Tzeng, G.H., 1993, Transportation investment project selection with fuzzy multi-objective. Transportation Planning and Technology 17(2), 91-112. The White House, 1998. The clinton administration’s policy on critical infrastructure protection. Presidential Decision Directive 63, White Paper. The White House, 2000a. National plan for information systems protection, Version 1.0. The White House, 2000b. Cyber Security Research and Development Act. The White House, 2002. E-government act of 2002, title 3 – information security. Trusted Computing Group, 2009. TCG trusted network connect TNC architecture for interoperability. Specification Version 1.4, Revision 4. Viduto, V., Maple, C., Huang, W., Lopez-Perez, D., 2012. A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems 53 (3), 599-610. Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R., 2011. Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems 51 (3), 576–586. Waltermire, D., Quinn, S.D., Scarfone, K., Halbardier, A., 2011. The technical specification for the security content automation protocol (SCAP): SCAP Version 1.2. NIST Special Publication 800-126 Revision 2. Wang, X., Golle, P, Jakobsson, M., Tsow, A., 2010a. Deterring voluntary trace disclosure in re-encryption mix-networks. ACM Transactions on Information and System Security 13 (2), Article no. 18. Wang, J., Xiao, N., Rao, H.R., 2010b. Drivers of information security search behavior: an investigation of network attacks and vulnerability disclosures. ACM Transactions on Management Information Systems 1 (1), Article no. 3. Weck, M., Klocke, F., Schell, H., Ruenauver, E., 1997. Evaluating alternative production cycles using the extended fuzzy AHP method. European Journal of Operational Research 100 (2), 351-366. Winston, W.L., 2004. Operations Research: Application and Algorithms. Fourth edition, Brooks/Cole, Belmont, CA, USA. Woo, S.W., Joh, H.C., Alhazmi, O.H., Malaiya, Y.K., 2011. Modeling vulnerability discovery process in Apache and IIS HTTP servers. Computers & Security 30 (1), 50-62. Yayla, A.A., Hu, Q., 2011. The impact of information security events on the stock value of firms: the effect of contingency factors. Journal of Information Technology 26, 60-77.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/16930	-
dc.description.abstract	本研究主要建立能反映弱點資訊安全程度之分析模式，據以作為評估資訊系統危險程度、篩選危險弱點及改善資訊系統危險因子之基礎。本研究提出應用模糊層級分析法，將影響資訊安全之弱點的交叉因素系統化並建立評估架構。首先，經由模糊德菲法篩選出主要影響資訊安全的層面及其相對影響因素，然後建立各因素之隸屬函數，組成弱點資訊安全程度之模糊綜合決策模式，可以瞭解各弱點在主要影響層面的資訊安全表現程度，藉以瞭解資訊系統安全潛在危險因子，作為改善方案之參考依據。其次，提出改進傳統模糊綜合決策模式假設各評估層面及評估準則間之加法性與獨立性的糢糊測度方式，建立弱點資訊安全程度模糊積分決策模式，考量現實人類主觀評價之特性。本研究結果顯示評估模式具有實用性，並且可應用於評量新發現的弱點之資訊安全程度；在模糊積分決策於模式建立過程中顯示，可充分反應出重要影響資訊安全層面間之加乘影響的特性。另一方面，根基於前述研究結果之權重及資訊安全程度，在有限的防禦資源限制下，提出資訊安全弱點管理之防禦資源配置策略，來最大化資訊安全效益，以提高防禦能力。分析此問題為非線性規劃的數學最佳化問題，本研究經由求解找出較佳的防禦資源配置，並進行分析與探討。	zh_TW
dc.description.abstract	The aim of this study is to formulate an analysis model that can express security vulnerability grades and serve as a basis for the evaluation of information program danger levels or for filtering hazardous system vulnerabilities, and to improve it to counter various security threats. Using a fuzzy analytic hierarchy process, this paper organizes crossover factors of system blind spots, and builds an evaluation framework. First, via the fuzzy Delphi method, aspects and relative determinants affecting security are screened. It then identifies the value equation of each factor, and settles the fuzzy synthetic vulnerability decision-making model. This model can analyze the various degrees to which vulnerabilities affect system security, and this information will serve as a basis for future ameliorations of the system itself. This study also proposes an improvement from the traditional fuzzy synthetic decision-making model for measuring the fuzziness between the enhancement and independence of various aspects and criteria. Furthermore, taking human subjectivity into consideration, this paper constructs a fuzzy integral decision-making model. The case study demonstrates that the evaluation model in question is practical and can be applied to new vulnerabilities to measure their degree of penetration. In addition, the fuzzy integral decision-making model emphasizes the multiply-add effect between various factors influencing information security. On the other hand, based on the above results’ weight and security level, with limited defense resources, this research proposes defense resource allocation strategies for security vulnerability management in order to maximize security utility and improve defense capability. As the problem is a mathematical optimization problem of nonlinear programming, this study finds the near optimal defense resource allocations for analysis and discussion through the problem-solving process.	en
dc.description.provenance	Made available in DSpace on 2021-06-07T23:50:06Z (GMT). No. of bitstreams: 1 ntu-103-D97725002-1.pdf: 5380574 bytes, checksum: 928ffe5d24112dcf164e5d0f598fec05 (MD5) Previous issue date: 2014	en
dc.description.tableofcontents	Chapter 1 Introduction 1 1.1 Research Background and Motivation 1 1.2 Research Objectives 3 1.3 Organization of the Dissertation 5 Chapter 2 Literature Reviews 6 2.1 Information Security Healthcare 6 2.2 Scoring Systems 8 2.3 Security Evaluation Factor of Vulnerabilities 9 2.4 Vulnerability Lifecycle and Patch Management 12 Chapter 3 Security Vulnerability Evaluation Methods 14 3.1 Model Logic and Structure 14 3.1.1 Model Logic 14 3.1.2 Model Structure 15 3.1.3 Formulation Procedure 16 3.2 Fuzzy Synthetic Decision Making 18 3.2.1 Definition of Evaluation Criteria Set and Evaluation Grade Set 18 3.2.2 Define the Weight of Various Evaluation Criteria 20 3.2.3 Define the Performance Appraisal Membership Function of Each Evaluation Criterion 21 3.2.4 Overall Evaluation 24 3.2.5 Defuzzification 25 3.3 Fuzzy Integral Decision Making 26 3.3.1 Deciding the λ Measure and Obtaining the Importance Level 27 3.3.2 Fuzzy Integral 28 3.3.3 Prioritization of Vulnerability Security Level 29 Chapter 4 Implementations of Security Vulnerability Prioritization 31 4.1 Formulation of Analysis Structure 31 4.1.1 Analysis Structure and Evaluation Criteria 31 4.1.2 Filter of Evaluation Criteria 31 4.2 Define the Relative Weight of the Evaluation Criterion 33 4.2.1 Design of Questionnaires and Investigation 33 4.2.2 Evaluating the Relative Weight of Evaluation Criteria 34 4.3 Formulation of Membership Function 37 4.4 Defining the λ Fuzzy Measure 45 4.5 Case Studies 47 4.5.1 Implementations of Fuzzy Synthetic Decision Making 49 4.5.2 Implementations of Fuzzy Integral Decision Making 53 4.6 Discussions 54 Chapter 5 Defense Resource Allocation Strategies for Security Vulnerability Management 56 5.1 Problem Formulation 56 5.1.1 Problem Description and Assumptions of Problem 1 56 5.1.2 Mathematical Formulation of Problem 1 59 5.1.3 Problem Description and Assumptions of Problem 2 62 5.1.4 Mathematical Formulation of Problem 2 65 5.2 Solution Approach 67 5.2.1 Lagrangean Relaxation of Problem 1 67 5.2.2 Getting Primal Feasible Solutions for Problem 1 71 5.2.3 Lagrangean Relaxation of Problem 2 72 5.2.4 Getting Primal Feasible Solutions for Problem 2 76 5.3 Computational Experiments 77 5.3.1 Experimental Results for Problem 1 77 5.3.2 Experimental Results for Problem 2 83 Chapter 6 Conclusions and Remarks 89 References 91
dc.language.iso	en
dc.subject	防禦資源配置	zh_TW
dc.subject	資訊安全弱點	zh_TW
dc.subject	資訊安全評估	zh_TW
dc.subject	模糊層級分析法	zh_TW
dc.subject	模糊綜合決策	zh_TW
dc.subject	模糊積分決策	zh_TW
dc.subject	security vulnerability	en
dc.subject	fuzzy synthetic decision making	en
dc.subject	fuzzy analytic hierarchy process	en
dc.subject	security evaluation	en
dc.subject	defense resource allocation	en
dc.subject	fuzzy integral decision making	en
dc.title	資訊安全弱點管理之決策方法	zh_TW
dc.title	Decision Making Approaches for Security Vulnerability Management	en
dc.type	Thesis
dc.date.schoolyear	102-1
dc.description.degree	博士
dc.contributor.oralexamcommittee	孫雅麗,陳孟彰,莊東穎,李漢銘
dc.subject.keyword	資訊安全弱點,資訊安全評估,模糊層級分析法,模糊綜合決策,模糊積分決策,防禦資源配置,	zh_TW
dc.subject.keyword	security vulnerability,security evaluation,fuzzy analytic hierarchy process,fuzzy synthetic decision making,fuzzy integral decision making,defense resource allocation,	en
dc.relation.page	100
dc.rights.note	未授權
dc.date.accepted	2014-02-11
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-103-1.pdf 未授權公開取用	5.25 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。