Information infrastructure risk prediction through platform vulnerability analysis

Aburrous, 2010, Experimental case studies for investigating e-banking phishing techniques and attack strategies, J. Cogn. Comput., 2, 242, 10.1007/s12559-010-9042-7 Aduda, 2012, The relationship between electronic banking and financial performance among commercial banks in Kenya, J. Finance Investment Anal., 1, 99 Aggelis, 2005 Alhazmi, 2007, Measuring, analyzing and predicting security vulnerabilities in software systems, Comput. Secur., 26, 219, 10.1016/j.cose.2006.10.002 Angelakopoulos, 2011, E-banking: challenges and opportunities in the greek banking sector, Electron. Commerce Res., 11, 297, 10.1007/s10660-011-9076-2 Bilge, 2012, Before we knew it: an empirical study of zero-day attacks in the real world, 833 Brændeland, 2010, Modular analysis and modelling of risk scenarios with dependencies, J. Syst. Softw., 83, 1995, 10.1016/j.jss.2010.05.069 Buttner, A., 2009. CPE Specification 2.2 http://cpe.mitre.org/files/cpe-specification_2.2.pdf (last visited March 2014) Cavano, 1984, Software reliability measurement: prediction, estimation, and assessment, J. Syst. Softw., 4, 269, 10.1016/0164-1212(84)90026-8 Cheikes, B.A., Waltermire, D., Scarfone, K., 2011. Common Platform Enumeration: Naming Specification Version 2.3, NISTIR 7695, http://csrc.nist.gov/publications/nistir/ir7695/NISTIR-7695-CPE-Naming.pdf (last visited March 2014) Chowdhury, 2011, Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities, J. Syst. Architect., 57, 294, 10.1016/j.sysarc.2010.06.003 CLUSIF, 2009. Risk management, concepts and methods. White paper, http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-risk-management.pdf (last visited March 2014). Corder, 2009 Druzdzel, 1996, Qualitative verbal explanations in Bayesian belief networks, Artif. Intell. Simul. Behav. Quart. Netw., 94, 43 Fenton, 2011 Gigerenzer, 2002 Gikandi, 2010, Adoption and effectiveness of electronic banking in Kenya, Electron. Commerce Res. Appl., 9, 277, 10.1016/j.elerap.2009.12.003 Gnedenko, 2005, 57 Google, 2007. Severity guidelines for security issues. http://dev.chromium.org/developers/severity-guidelines (last visited March 2014). Grunske, 2008, Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles, J. Syst. Softw., 81, 1327, 10.1016/j.jss.2007.11.716 Hastie, 2009, The Elements of Statistical Data Mining, Inference, and Prediction, 153 Houmb, 2010, Quantifying security risk level from CVSS estimates of frequency and impact, J. Syst. Softw., 83, 1622, 10.1016/j.jss.2009.08.023 Huang, 2013, A novel approach to evaluate software vulnerability prioritization, J. Syst. Softw., 86, 2822, 10.1016/j.jss.2013.06.040 ISO, 2009. Risk management vocabulary. ISO Guide 73:2009. Keuzenkamp, 2000, 35 Khatri, 2013, E-banking: cryptography with unique identity, Int. J. Res. IT Manage., 3, 78 Kondabagil, 2007 Koons, 2010, Information Technology Risk Management in Enterprise Environments Liu, 2011, VRSS: a new system for rating and scoring vulnerabilities, Comput. Commun., 34, 264, 10.1016/j.comcom.2010.04.006 Liu, 2012, Improving VRSS-based vulnerability prioritization using analytic hierarchy process, J. Syst. Softw., 85, 1699, 10.1016/j.jss.2012.03.057 Marsaglia, 2003, Evaluating Kolmogorov’s distribution, J. Stat. Softw., 8, 1, 10.18637/jss.v008.i18 Martinez, 2009, 5772, 357 Masera, 2007, A Service-Oriented Approach for Assessing Infrastructure Security, Critical Infrastructure Protection, 367, 10.1007/978-0-387-75462-8_26 Massey, 1951, The Kolmogorov–Smirnov test for goodness of fit, J. Am. Stat. Assoc., 46, 68, 10.1080/01621459.1951.10500769 Mathworks, 2013. Matlab, English version 8.1, release 2013a, Natick, Massachusetts, ISBN: 978-0-9825838-8-3. Matsuo, 2003, 30 Mell, 2002, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Mell, P., Scarfone, K., Romanosky, S., 2007. A complete guide to the common vulnerability scoring system, Version 2, http://www.first.org/cvss/cvss-guide.pdf (last visited March 2014). Microsoft, 2012. Security bulletin severity rating system. http://technet.microsoft.com/en-us/security/gg309177.aspx (last visited March 2014). Mozilla, 2005. Mozilla foundation security advisories. http://www.mozilla.org/security/announce/ (last visited March 2014). Nikto2, 2010. http://cirt.net/nikto2 (last visited March 2014). National Institute of Technology and Standards (NIST), 2008, Special Publication 800–55 Revision 1, Performance Measurement Guide for Information Security National Vulnerability Database (NVD), 2013. Version 2.2 http://nvd.nist.gov/ (last visited March 2014). Osunmuyiwa, 2013, Online banking and the risks involved, Res. J. Inf. Technol., 5, 50 Papoulis, 2002 Payment Card Industry (PCI), 2010. Approved Scanning Vendors, Program Guide, Reference 1.0, PCI DSS 1.2 https://www.pcisecuritystandards.org/pdfs/asv_program_guide_v1.0.pdf (last visited March 2014). Qualys, 1999. Severities knowledgebase. http://www.qualys.com/research/knowledge/severity/ (last visited March 2014). Redhat, 2005. Classification of security issues. http://www.redhat.com/f/pdf/rhel4/SecurityClassification.pdf (last visited March 2014). Rinaldi, 2001, Identifying, undestanding and analyzing critical infrastructure interdependencies, IEEE Control Syst. Mag., 21, 11, 10.1109/37.969131 Salkind, 2007 Schiffman, M., CIAG, C., 2005. Cvss: A common vulnerability scoring system. http://www.first.org/cvss/v1/guide (last visited March 2014). Secunia, 2002. Advisories. http://secunia.com/advisories/historic/ (last visited March 2014). Shah, 2009 Shah, 2006, Organisational critical success factors in adoption of e-banking at the Woolwich bank, Int. J. Inf. Manage., 26, 442, 10.1016/j.ijinfomgt.2006.08.003 Shar, 2013, Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns, Inf. Softw. Technol., 55, 1767, 10.1016/j.infsof.2013.04.002 Shin, 2013, Can traditional fault prediction models be used for vulnerability prediction?, vol. 18, 25 Spanos, 2013, WIVSS: a new methodology for scoring information systems vulnerabilities, 83 Strecker, 2011, RiskM: A multi-perspective modelling method for IT risk assessment, vol. 13, 595 Symantec, 2000. Symantec security response glossary. http://www.symantec.com/securityresponse/severityassessment.jsp. (last visited March 2014). Theoharidou, 2010, A multi-layer criticality assessment methodology based on interdependencies, Comput. Secur., 29, 643, 10.1016/j.cose.2010.02.003 Venter, 2004, Vulnerability forecasting-a conceptual model, Comput. Secur., 23, 489, 10.1016/S0167-4048(04)00175-0 Veríssimo, 2006, The CRUTIAL reference critical information infrastructure architecture: a blueprint, critical information infrastructures security, Lect. Notes Comput. Sci., 4347, 1, 10.1007/11962977_1 VUPEN, 2005. Vulnerability research and intelligence. http://www.vupen.com/ (last visited March 2014). Waltermire, D., Quinn, S., Scarfone, K., Halbardier, A., 2011. The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2, http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf (last visited March 2014). Wang, 2012, PVL: A Novel Metric for Single Vulnerability Rating and Its Application in IMS, Journal of Computational Information Systems, 8, 579 Wolfgang, M., 2002. Host Discovery with Nmap http://nmap.org/docs/discovery.pdf (last visited March 2014). Woo, 2011, Modeling vulnerability discovery process in Apache and IIS HTTP servers, Comput. Secur., 30, 50, 10.1016/j.cose.2010.10.007 X-Force, 1999. Frequently asked questions, http://www-935.ibm.com/services/us/iss/xforce/faqs.html (last visited March 2014). Xie, 2010, Using bayesian networks for cyber security analysis, 211 Younis, 2014, Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability, 1 Zhang, 2011, An empirical study on using the national vulnerability database to predict software vulnerabilities, database and expert systems applications, vol. 6860, 217, 10.1007/978-3-642-23088-2_15