An EGovernance Information Security Risk Model Using Security Metrics

Abstract

Information security is a very crucial aspect of e-Governance projects. The e-Governance newlineproject will not be succeed without appropriate Information Security arrangements since newlinebreach in security means loss of trust and goodwill. Apart from this it is responsibility of newlinethe Government to protect citizen s data and privacy. The appropriate risk assessment is newlinevery necessary for e-Governance projects. Many researchers applied various soft newlinecomputing techniques for risk assessment. The literature review also revealed use of newlinesecurity metrics for the security risk assessment. Metrics are important tools for decision newlinemaking. It ensures quality during the collection, analysis, and reporting of relevant data newlinefor better performance. newlineNational Institute of Standards and Technology (NIST) has developed the Security newlineContent Automation Program (SCAP) based security metrics to support data-driven risk newlineassessment. SCAP is a collection of specifications intended to standardize the way newlinesecurity software solutions communicate software security flaw and configuration newlineinformation. Many authors utilized SCAP based automated security metrics like newlineCommon Vulnerability and Exposure(CVE), Common Weakness Enumeration(CWE), newlineCommon Vulnerability Scoring System(CVSS), Common Weakness Scoring newlineSystem(CWSS),Common Weakness Risk Assessment Framework(CWRAF), Common newlineAttack Pattern Enumeration and Classification(CAPEC) etc. for effective risk evaluation, newlinerisk, threat, attack, and vulnerability analysis and modelling. newlineIn this study, two such studies related to risk assessment, zero-day vulnerability newlineprediction and attack prioritization based on security metrics were identified for the newlinedetailed study and a new model based on these studies have been proposed after newlineincorporating new approach and parameters. newlineIn the first study Authors (Wang, Wang, Guo, Zhou, and Camargo, 2010) proposed an newlinealgorithm for attack ranking in their paper Attack ranking based on vulnerability newlineanalysis . Authors utilized CVE, CVSS, CWE, and CAPEC security metrics for attack newlineranking.