KR101985421B1 - Method and apparatus for security investment based on evaluating security risks - Google Patents

Abstract

The present invention relates to a security investment method and apparatus, and more particularly, to a security investment method and apparatus based on security risk assessment in a cloud computing environment. According to the present invention, there is provided a security investment method based on security risk assessment, comprising the steps of: establishing one or more security threats that may occur in the cloud service and a vulnerability of each security threat according to a type of cloud service; Wherein the first and second security threats are hierarchically connected to the vulnerability points of the attack step, and when the vulnerabilities included in the first and second security threats are the same, the same vulnerability is unified into one vulnerability node, Generating an attack tree map by connecting a second security threat, matching a security control item for supplementing the vulnerability node with each of the vulnerability nodes of the attack tree map, using the child node structure and the correlation degree of the vulnerability node Calculating a vulnerability score of each of the vulnerability nodes, Summing the vulnerable score for each item, and by using this, and an aspect in that it comprises the step of quantitatively evaluating the security risk of the cloud service. According to the present invention, it is possible to perform a more accurate security evaluation by excluding a double evaluation of an overlapping attack by evaluating a security risk in consideration of an attack step of a security threat that may occur in a cloud environment.

Description

TECHNICAL FIELD [0001] The present invention relates to a security investment method and apparatus based on security risk assessment,

The present invention relates to a security investment method and apparatus, and more particularly, to a security investment method and apparatus based on security risk assessment in a cloud computing environment.

The computing environment of information systems is shifting to the cloud center with its rapid resource expansion, low operating cost, and uninterrupted service. Many companies, organizations, and government agencies are also interested in cloud computing.

Cloud computing providers need to transparently and systematically manage their users' critical data, and users want to hear about security management. However, current cloud service providers do not provide enough security visibility and transparency, and they do not meet the requirements of users due to inexperienced cloud security technologies.

 To complement these inexperienced cloud security technologies and policies, companies and organizations allocate and manage budgets to improve cloud security technologies and build systems. However, it is difficult to grasp the investment effect on security investment even if security investment is carried out with such budget allocation. Existing security investment methods suggest security investment effects based on security threats, attack frequency, asset importance, and asset damage scale. However, there are some problems with these methods.

First, existing security investment methods do not provide security investment effects based on accurate security evaluation. Security attacks are typically performed in several stages, with different attack methods overlapping each other. For example, breach of data and loss of data among cloud security threats are different security threats, but attack steps are required to take over administrator accounts. However, in the security evaluation, security evaluation is performed by considering data infringement and data loss as independent security threats without considering redundant attacks. Therefore, accurate security evaluation must be done before the security investment method and security investment effect can be accurately evaluated.

In addition, existing investment techniques have suggested ways to maximize the security level without considering the amount of security investment. However, companies and organizations are limited in the amount of security investment, so there is a need for ways to find the maximum security investment effect from a given security investment amount.

The investment methods proposed in the past are as follows, and the problems of the respective investment methods are as follows.

1. Annual Loss Expectancy (ALE): The ALE does not take into account the level of impact a particular security risk has on the system, and has the problem of knowing the frequency of all security risks.

2. Return on Investment (ROI) or Return on Security Investment (ROSI): assess the effectiveness of any investment activity. However, since ROI takes into account only the current or specific time, the accuracy of the security versus investment is relatively low and unreliable.

3. NPV (Net Present Value) Model: The NPV model is a model that determines the investment by comparing the current asset value with the asset value after investment. It is useful to apply the investment cost-benefit analysis theory in practice. However, it is very difficult to define all asset valuation and asset discount rates.

4. Gordon and Loeb Model: Gordon and Loeb model that theoretically interprets the investment correlation based on the security risk (vulnerability) for the first time among various studies as the method of determining the optimal investment amount is difficult to obtain security threat probability and vulnerability probability, We excluded the possibility of multiple types of information being correlated and protected by one investment. Also, although the optimal amount of investment is found, it is not considered that there is a limit to resources invested in security by a corporation or an institution.

The present invention solves the above-mentioned problems, and it is an object of the present invention to provide a method and system for evaluating a security risk by taking into consideration attack steps of a security threat that may occur in a cloud environment, Based security investment method and apparatus based on the security risk assessment.

It is another object of the present invention to provide a security investment method and apparatus based on security risk assessment that can obtain the maximum security investment effect in a limited security budget.

It is another object of the present invention to provide a method and apparatus for security investment based on security risk assessment that enables economical security investment by numerically and visually expressing investment effects.

According to another aspect of the present invention, there is provided a security investment method based on security risk assessment, comprising the steps of: establishing one or more security threats and a vulnerability of each security threat that may occur in the cloud service according to a type of cloud service; The vulnerabilities are classified into a single vulnerability node and a single vulnerability node if the vulnerabilities included in the first and second security threats are the same. Generating an attack tree map by connecting a first security threat and a second security threat to each of the vulnerability nodes of the attack tree map; matching a security control item for supplementing the vulnerability node with each of the vulnerability nodes of the attack tree map; The vulnerability score of each of the vulnerability nodes is calculated using the structure and correlation And summing the vulnerability scores for each of the security control items, and quantitatively evaluating a security risk of the cloud service using the sum of the vulnerability scores.

According to another aspect of the present invention, there is provided a security investment apparatus based on security risk assessment, the apparatus comprising: a configuration unit configured to set one or more security threats and a vulnerability of each security threat that may occur in the cloud service according to a type of cloud service, An attack tree map generating unit for generating an attack tree map by uniting vulnerability points overlapping the entire vulnerability node into one node and matching a security control item for supplementing the vulnerability node to each vulnerability node of the attack tree map, The vulnerability score of each of the vulnerability nodes is calculated using the child node structure and the degree of correlation of the vulnerability nodes, and the vulnerability score is summed for each security control item, and the security risk of the cloud service is quantitatively evaluated And the like.

As described above, according to the present invention, a security risk can be evaluated in consideration of an attack step of a security threat that may occur in a cloud environment, thereby performing a more accurate security evaluation by excluding a double evaluation of an overlapping attack.

In addition, according to the present invention, a maximum security investment effect can be derived from a limited security budget.

Further, according to the present invention, economical security investment is possible by numerically and visually expressing investment effects.

1 is a block diagram illustrating a configuration of a security risk assessment-based security investment apparatus according to an exemplary embodiment of the present invention;
2 is a diagram for explaining an environment setting function according to an embodiment of the present invention;
3 is a diagram for explaining a method of generating an attack tree map according to an embodiment of the present invention;
4 is a diagram for explaining a node structure of an attack tree map according to an embodiment of the present invention;
FIG. 5 is a view for explaining an attack tree map according to an embodiment of the present invention; FIG.
FIG. 6 is a flowchart illustrating a security investment method based on security risk assessment according to an embodiment of the present invention. FIG.
FIG. 7 is a flowchart illustrating a security investment method based on security risk assessment according to another embodiment of the present invention; FIG.
8 is a flowchart illustrating an embodiment of a post-investment security risk evaluation for establishing an investment strategy.

The above and other objects, features, and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, which are not intended to limit the scope of the present invention. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

In the drawings, the same reference numerals are used to designate the same or similar components, and all combinations described in the specification and claims can be combined in any manner. It is to be understood that, unless the context requires otherwise, references to singular forms may include more than one, and references to singular forms may also include plural forms.

The terminology used herein is for the purpose of describing particular illustrative embodiments only and is not intended to be limiting. Singular representations as used herein may also be intended to include a plurality of meanings, unless the context clearly dictates otherwise. The terms " and / or " " and / or " include any and all combinations of the items listed therein. The terms "comprises," "comprising," "including," "having," "having," "having," and the like have the implicit significance, Steps, operations, elements, and / or components, and does not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / Steps, processes, and operations of the methods described herein should not be construed as necessarily enforcing their performance in such specific order as discussed or illustrated unless specifically concluded the order of their performance . It should also be understood that additional or alternative steps may be used.

In addition, each component may be implemented as a hardware and software processor, respectively, and the above components may be integrated into one hardware and software processor, or the above components may be combined with each other to form a plurality of hardware and software processors . ≪ / RTI >

Before describing a specific embodiment of the present invention, the cloud environment to which the present invention is applied and terms used in this specification will be briefly described.

The cloud can provide a variety of cloud services using resource virtualization technology. This is different from existing computing technologies that provided only one service to a single server. This feature makes cloud security more complex. In the case of a single service, it is necessary to analyze security threats against a single service and establish countermeasures. However, since cloud security can provide various services, it is necessary to analyze various security threats and establish countermeasures against them to be.

 Security threats can occur through detailed attack steps, where the detailed attack steps of each security threat can be duplicated. Therefore, there is a need for a security evaluation method that can eliminate the double evaluation of overlapping attack levels between various security threats. In the present specification, a technology capable of solving such a problem is proposed.

In addition, cloud service providers have limited budgets to invest in security, so there is a need to plan security investment strategies and assess security investment strategies to ensure optimal security investments within a limited budget. The present invention provides a security risk assessment based security investment method and apparatus that satisfies such a demand.

It is assumed herein that each embodiment of the present invention operates under the following conditions. First, it is assumed that one cloud security threat has one or more detailed attack phases. Each detailed attack step corresponds to one or more security vulnerabilities. For convenience of explanation, it is assumed that one detailed attack step corresponds to one security vulnerability.

Second, it can be assumed that the cloud security control item (Secure Control, SC) does not affect other security control items when the security control item is invested.

Third, one security control item can solve one or more security vulnerabilities, and it can be assumed that one security vulnerability can be matched with at least one security control item.

In addition, each symbol and expression used in the present specification can be interpreted as having the following meaning.

sign Justice

The yth vulnerability to the xth security threat

i th security control item

Parent node (vulnerability)

And child nodes

Correlation coefficient between

Security investment amount

Vulnerability after investment

Of vulnerabilities (number of vulnerabilities mitigated after investment)

weakness

Security vulnerability score for

Vulnerability after applying ATM

Vulnerability score

Total number of vulnerabilities in the i th security control item

Investment amount for i- th security control item

The total vulnerability score of the child node (s)

Total number of vulnerabilities after child node (s) investment

Total number of vulnerabilities in the ith control item after investment

The amount invested in the i th control item

Vulnerability after investment

Number of vulnerabilities

Total investment amount invested in all security control items  TVV Total number of vulnerabilities before investment iTVV Total number of vulnerabilities after investment

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a configuration of a security risk assessment based security investment apparatus (hereinafter referred to as a 'security investment apparatus') according to an embodiment of the present invention. 1, a security investment apparatus 100 according to an embodiment of the present invention includes an environment setting unit 110, an attack tree map generating unit 130, a security risk evaluating unit 150, an investment calculation unit 170 And may further include a weight determining unit 140 according to an embodiment of the present invention. The configuration of the secure investment apparatus 100 shown in FIG. 1 is exemplary, and the secure investment apparatus 100 may include only a part of the module disclosed in FIG. 1 and / or add other modules necessary for its operation As shown in FIG.

The security investment apparatus 100 is operated in a cloud computing environment and can establish a security investment strategy by receiving information necessary for environment setting from a cloud service provider (not shown). Once a security investment strategy is established, one or more security investment strategies can be provided to cloud service providers, and each security investment strategy can be evaluated and provided.

The environment setting unit 110 may analyze the cloud service environment and set items necessary for security risk assessment and investment strategy establishment.

For example, the environment setting unit 110 can define a security threat that can occur for each cloud service, and can define a detailed attack step of the security threat.

For example, major security threats to cloud services include: Abuse and Nefarious Use of Cloud Computing; Insecure Interfaces and APIs; Malicious Insiders ), Shared Technology Issues, Data Loss or Breach, Service / Account Hijacking, Unknown Risk Profile, Distributed Denial of Service Attacks Distributed Denial of Services), and the types of security threats are not limited by the above examples. Each cloud service may have a different degree of vulnerability to security threats depending on its characteristics, and therefore different levels of importance can be set for each security threat. Therefore, the environment setting unit 110 can define security threats that can be generated according to the characteristics of the cloud service and the cloud service provider settings, and define a detailed attack step of the security threat corresponding to the specific cloud service.

)→데이터 접근(

)→데이터 유실(

)의 단계를 포함할 수 있다. 이는 권한 획득 단계에서의 공격, 데이터 접근 시 공격, 최종적인 데이터 유실 단계에서의 공격 중 적어도 하나로 인해 데이터 유실이 발생할 수 있음을 의미한다. 임의의 클라우드 서비스는 데이터 유실의 보안 위협에 있어서, 전술한 세 단계의 세부 공격 단계에 취약점을 가지고 있으므로, 세부 공격 단계는 곧 취약점을 의미하는 것으로 이해될 수 있다. 본 명세서에서 x라는 보안 위협의 y번째 세부 공격 단계 각각은 취약점을 의미하며, 취약점은 표 1에 도시된 바와 같이

로 표기한다. Each security threat can occur through one or more attack steps. For example, in the case of a security threat such as (B) data loss shown in FIG. 2,

) → data access (

) → Data loss (

). ≪ / RTI > This means that data loss can occur due to at least one of attack at the authority acquisition stage, attack at data access, and attack at the final data loss stage. Since any cloud service is vulnerable to the three levels of detailed attack phase in the security threat of data loss, it can be understood that the detailed attack phase is immediately a vulnerability. In the present specification, each of the y-th detailed attack steps of the security threat x means a vulnerability, and the vulnerability is as shown in Table 1

.

Hereinafter, the security threat of the environment setting unit 110 and the vulnerability setting according to detailed attack steps will be described in more detail with reference to FIG.

For example, when the security investment apparatus 100 establishes a security investment strategy for an arbitrary cloud service, the environment setting unit 110 may determine one or more security threats that may occur in the cloud service, (A) Data Breach, (B) Data Loss, (C) Service / Account Hijacking, (D) Unsafe APIs, (Insecure APIs), and (E) Malicious Insiders.

) → 감염된 루트킷(

) → 패스워드 해킹(

) → 관리자로 동작(

) → 가치있는 정보에 접속(

)하는 과정을 통해 이루어질 수 있으며, (B) 데이터 손실(Data Loss)은 관리 자격 획득(

) → 데이터에 접근(

) → 데이터 손실(

) 과정을 통해 이루어질 수 있다. (C) 서비스/계정 하이재킹(Service/Account Hijacking)은 트랩에 빠짐(XSS)(

) → 관리자/사용자 계정 획득(

) → 암호 획득(

)의 과정을 통해 이루어질 수 있으며, (D) 불안전한 API(Insecure APIs)는 불안전한 오브젝트 레퍼런스 사용(

) → 데이터에 접근(

) 하는 과정을 통해 이루어질 수 있다. 마지막 보안 위협의 예시인 (E) 악의적 내부 관계자(Malicious Insiders)는 물리 서버에의 접근(

) → 서버 메모리 덤프 스캔(

) → 사용자 계정 정보 획득 (

) 과정을 통해 이루어질 수 있다. As shown in FIG. 2, the environment setting unit 110 may set a weak point according to the detailed attack step. For example, (A) Data Breach is a malware download

) → infected rootkit (

) → Password hacking (

) → act as administrator (

) → access to valuable information (

(B) Data Loss can be achieved through the process of acquiring management certification

) → access to data (

) → data loss (

) Process. (C) Service / Account Hijacking is trapped (XSS) (

) → Manager / User Account Acquisition (

) → obtain password

), And (D) insecure APIs (Insecure APIs) can be used through insecure object reference usage

) → access to data (

). ≪ / RTI > (E) Malicious Insiders, an example of the last security threat,

) → Server memory dump scan (

) → Obtain user account information (

) Process.

In this way, the environment setting unit 110 can more accurately evaluate the security risk through the process of setting the security threats according to the characteristics of the cloud service and the weaknesses of the attack steps in detail, It has the effect of improving the low accuracy of risk assessment.

The environment setting unit 110 may set a security control item of the cloud service. The 'security control item' means a physical method of performing security control, and may be different according to the classification method. For example, the environment setting unit 110 may set the security control items as secure storage, secure processing, network, access control, audit verification and compliance, And so on. Meanwhile, it can be understood that the security investment is performed based on the security control item in the embodiment of the present invention.

The environment setting unit 110 may define the degree of correlation. Correlation refers to the correlation coefficient indicating the correlation between the preceding stage (child node) and the trailing stage (parent node) when the detailed attack phase is mapped to each node of the tree.

단계의 공격에 성공하면 다음 단계인

단계의 공격에 성공할 확률과

단계의 공격에 성공하면 다음 단계인

단계의 공격에 성공할 확률은 서로 다른 값을 가질 수 있다. 이와 같이 각 단계간의 상관 관계를 나타내는 값을 상관도라고 하며, 상관도는 각 공격의 특성에 따라 달라질 수 있다. For example, a detailed attack progresses step by step. If an attacker succeeds in attack in the first detailed attack phase, he can attack the second phase more easily. As an example, in FIG. 2 (A)

If the attack is successful, the next step

The probability of a successful attack

If the attack is successful, the next step

The probability of a successful attack on a phase can have a different value. The value indicating the correlation between the respective stages is referred to as a correlation degree, and the degree of correlation may vary depending on the characteristics of each attack.

The environment setting unit 110 may set the degree of correlation and reflect the vulnerability due to the sequential attack to the security evaluation. Correlation can be understood as a correlation coefficient defined between a parent vulnerability node (parent attack phase or trailing attack phase) and a child vulnerability node (child attack phase or predecessor attack phase), which depends on the cloud service provider's settings . Also, the degree of correlation may be automatically set by the environment setting unit 110 according to the analysis result of the accumulated attack pattern.

Furthermore, the configuration unit 110 can set the security vulnerability reduction ratio. The 'vulnerability mitigation ratio' means the rate at which the security vulnerability of the vulnerability corresponding to the security control item is relieved when invested in any security control item. More specifically, the security vulnerability mitigation rate may be a constant value of the security vulnerability mitigation function. For example, the security risk evaluator 150 may calculate the security vulnerability score using the security vulnerability function as shown in Equation (1) below. The environment setting unit 110 sets the security vulnerability score The corresponding constant value can be set for each security control item as shown in Table 2 below.

alpha 0.078 0.073 0.077 0.047 0.068 beta 0.103 0.123 0.162 0.236 0.249

Since the security vulnerability mitigation rate set in the environment setting unit 110 is used for the security vulnerability mitigation function, the result of the function is influenced on the mitigated security vulnerability score.

The vulnerability mitigation rate may vary depending on the nature of the security control item, and may be affected by enterprises and organizations, service characteristics, and cloud computing environment. In addition, the vulnerability mitigation rate can be determined differently depending on the data and statistics accumulated by existing investments.

The attack tree map generation unit 130 generates an attack tree map by uniting the vulnerabilities overlapping one or more security threats into one node, and transmits a security control Item can be matched.

Let's look at how to create an attack tree map with reference to the example of FIG. FIG. 3 shows an embodiment in which the security threat set in the cloud service is data breach and data loss. First, each vulnerability of a security threat can be mapped to a single vulnerability node. (A), each security threat includes stepwise vulnerabilities a1 to a4 and b1 to b4. Here, a1 and b1 for downloading malware, and a2 and b2 for infected rootkits correspond to the same vulnerability. In generating the attack tree map, the attack tree map generator 130 examines the entire security risk and unifies the overlapping vulnerabilities into one node as shown in (B) on the right side.

->

의 단계별 취약점을 포함하고, 제 2 보안 위협이

->

의 단계별 취약점을 포함할 때, 취약점

가 중복되므로, 해당 취약점 노드는 단일화할 수 있다.

,

는 선행 공격 단계이므로 자식 노드가 되고,

는 후행 공격 단계이므로 부모 노드에 해당한다. 또한, 공격 트리 맵 생성부(130)는 각각의 취약점 노드에 해당 취약점을 보완하기 위한 보안 제어 항목을 매칭할 수 있는데,

에는

,

에는

,

에는

를 매칭할 수 있다. 4, the attack tree map generating unit 130 may generate an attack tree map reflecting the relationship between the vulnerability nodes, and may match the security control items that can complement the vulnerability to each vulnerable node can do. 4 (A) shows a general structure. The first security threat

->

, And the second security threat

->

Of-the-box vulnerabilities,

The vulnerability node can be unified.

,

Is a child node in the preceding attack step,

Is a trailing attack step, and thus corresponds to a parent node. Also, the attack tree map generator 130 may match the security control items for supplementing the vulnerability to each vulnerable node,

There

,

There

,

There

Can be matched.

->

로 진행되는 제 1 보안 위협과

->

로 진행되는 제 2 보안 위협은 서로 영향을 미치지 않는다. 이러한 경우에는 공격 트리 맵에 (B)와 같이 OR 조건 관계를 반영하여 표시할 수 있다. (B) shows the attack tree map when one or more child nodes are mutually independent (in the case of an OR condition relationship).

->

And the first security threat

->

The second security threats that are going on do not affect each other. In such a case, the OR conditional relationship can be displayed in the attack tree map as shown in (B).

와

두 개의 취약점을 모두 만족하는 경우

단계로 진행되는 보안 위협이 존재할 수 있으며, 이 경우 공격 트리 맵은 (C)와 같이 생성될 수 있다. (C) shows an attack tree map when one or more child nodes have an AND condition relationship.

Wow

If both vulnerabilities are met

There may be a security threat going to the step. In this case, the attack tree map can be generated as shown in (C).

Since the node structure between the child node and the parent node as described above may affect the vulnerability score calculation, the attack tree map generation unit 130 preferably reflects the structure in the attack tree map.

FIG. 5 is a diagram illustrating an example of an attack tree map generation unit 130 in the cloud service in which five attack threats are defined as shown in FIG. 2, This is an embodiment of the map.

)에는 모두 하나 이상의 보안 제어 항목(

)이 매칭되어 있다. 각 노드를 연결한 링크에 표시된

는 취약점 노드

와

간의 상관도를 의미한다. In the attack tree map of FIG. 5, each vulnerability node (

) All contain one or more security control entries (

) Are matched. Linked to each node

Vulnerability node

Wow

.

As described above, the attack tree map generating unit 130 can eliminate the redundant investment costs by eliminating the redundant vulnerability, so that the cloud service provider and the investor can confirm the security investment amount with higher accuracy than the prior art.

The security risk evaluation unit 150 calculates the vulnerability score of each vulnerability node using the child node structure and the degree of correlation of the vulnerability node. The vulnerability score may be derived using the following Equations 2 to 4 have.

For example, if one or more first child nodes of an arbitrary first vulnerability node are mutually independent, the product of the vulnerability score of the first child node and the correlation coefficient of the first child node-vulnerability node, , Which can be expressed by the equation (2) or (3).

In another embodiment, when one or more second child nodes of an arbitrary second vulnerability node are mutually AND conditional relations, the sum of the weak point of the second child node and the correlation coefficient of the second child node-vulnerability node The vulnerability score of the second vulnerability node can be calculated by dividing the vulnerability score of the second vulnerability node by the number of the second child nodes.

의 취약 점수

이며, 수학식 3은 취약점 노드(

)와 자식 노드 간 상호 독립적인 OR 구조를 갖는 경우의 취약점

의 취약 점수

이다. 수학식 4는 취약점 노드(

)와 자식 노드 간 AND 구조를 갖는 경우의 취약점

의 취약 점수

이다.Equation (2) shows a vulnerability in an attack tree map having a general structure

Vulnerability score

And Equation (3) represents the vulnerability node

) And child nodes have mutually independent OR structure

Vulnerability score

to be. Equation (4) represents the vulnerability node

) And a child node has an AND structure.

Vulnerability score

to be.

The vulnerability scores of each vulnerability node in the embodiment of FIG. 5 described above can be expressed as shown in Table 3 below. This is an example of a case where the correlation between nodes is assumed to be 0.1.

Vulnerability node Parent node Child node Vulnerability score of vulnerability node Matched
Security Control Item

 - 45 SC2

21 SC4

,

,

56 SC1

17 SC4

,

13 SC4

 -

15 SC2

 - 57 SC3

21 SC4

- 63 SC5

- 24 SC2

21 SC4 Total - - 353 -

를 구할 수 있으며, 이를 모두 합산하여 투자 전의 총 취약점수(TVV)를 산출하여 클라우드 서비스의 보안 위험을 정량적으로 평가한다. 본 발명의 일 실시 예에서, 투자 전의 총 취약점수(TVV)는 클라우드 서비스의 보안 위험을 나타내는 정량적 지표로 이해될 수 있으며, 투자 전의 총 취약 점수(TVV)는 하기 수학식 5와 같이 산출할 수 있다. The security risk evaluation unit 150 sums the vulnerability scores for each security control item

, And all of them are summed up to calculate the total number of vulnerabilities (TVV) before investment to quantitatively evaluate the security risk of the cloud service. In one embodiment of the present invention, the total number of vulnerabilities before investment (TVV) can be understood as a quantitative indicator indicating the security risk of the cloud service, and the total vulnerability score (TVV) before investment can be calculated as Equation have.

In the example of Table 2, the sum of the number of vulnerabilities per security control item and the total number of vulnerabilities before investment (TVV) are shown in Table 3 below.

 Total

 56 81 57  96 93  353

63.56  85.564 57 121.192  63 390.316

는 공격 트리 맵을 생성하지 않고 각 취약점의 취약 점수를 보안 제어 항목 별로 단순 합산한 경우의 보안 제어 항목 별 취약 점수의 합이며,

는 상관도 및 구조를 반영하여 공격 트리 맵을 생성한 본 발명의 일 실시 예에 따른 보안 제어 항목 별 취약 점수의 합이다. 종래 기술에 따른 투자 전 총 취약 점수는 353이며, 본 발명의 일 실시 예에 따른 투자 전 총 취약 점수(TVV)는 390.316으로 산출되어 차이가 있음을 확인할 수 있다. Table 4

Is the sum of the vulnerability scores for each security control item when the vulnerability score of each vulnerability is simply added for each security control item without generating an attack tree map,

Is the sum of vulnerable scores for each security control item according to an exemplary embodiment of the present invention in which an attack tree map is generated reflecting the correlation and structure. The total vulnerability score before investment according to the prior art is 353, and the total vulnerability score (TVV) before investment according to the embodiment of the present invention is calculated to be 390.316.

The weight determining unit 140 may determine a weight for each security control item according to the cloud service type. Depending on the type of cloud service, each security control item can have a different weight, for example, there may be a cloud service that gives a greater weight to the security store, and a cloud service that gives a greater weight to the security process Because. The weight determining unit 140 may determine the weight by learning service characteristics such as the setting of the cloud service provider or the cumulative cloud service usage status.

The weight determined by the weight determination unit 140 may be used when the security risk assessment unit 150 calculates the total vulnerability score TVV before the investment. In quantitatively evaluating the security risk, the security risk assessment unit 150 may reflect the weight of the security control item in the weak score summed for each security control item.

에 투자 시, 상기 보안 제어 항목

에 대응하는 하나 이상의 투자 취약점의 보안 취약 완화 비율을 결정한 바 있다. Next, the security risk evaluation unit 150 can establish an investment strategy by quantitatively evaluating the security risk after the investment. In the security risk evaluation for establishing the investment strategy, the security risk evaluation unit 150 may use the security vulnerability reduction ratio set in the environment setting unit 110. [ In the embodiment of the environment setting unit 110 described above, any security control item

, The security control item

Vulnerability mitigation ratios of one or more investment vulnerabilities corresponding to.

The security risk evaluation unit 150 calculates the relaxed vulnerability score of each investment vulnerability node using the structure and correlation of the child node of the investment vulnerability node, the investment amount corresponding to the investment, and the vulnerability mitigation ratio of the investment vulnerability The vulnerability score is summed up for each security control item, and the security risk after the investment of the cloud service is quantitatively evaluated using the sum.

이면, 상기 투자 취약점 노드

의 완화된 취약 점수

를 하기 수학식 6에 따라 산출할 수 있다. 이 때,

및

는 환경 설정부(110)에서 설정된 상수(보안 취약 완화 비율)일 수 있다. For example, the security risk assessment unit 150 may determine that the investment amount

, The investment vulnerability node

Mitigated vulnerability scores

Can be calculated according to the following equation (6). At this time,

And

May be a constant (security vulnerability mitigation rate) set in the environment setting unit 110.

More specifically, the security risk assessment unit 150 may calculate the vulnerability score that is relaxed as follows considering the structure of the vulnerability node and its child nodes.

를 투자한 후의 일반적인 구조를 갖는 취약점 노드

의 취약 점수이며, 수학식 8은 i번째 보안 제어 항목에 보안 투자 금액

를 투자한 후의 자식 노드와 OR 구조를 갖는 취약점 노드

의 취약 점수, 수학식 9는 i번째 보안 제어 항목에 보안 투자 금액

를 투자한 후의 자식 노드와 AND 구조를 갖는 취약점 노드

의 취약 점수를 나타낸 것이다. Equations (7) to (9) are examples of expressing a relaxed weak score in consideration of the structure. Equation (7) represents the security investment amount in the i-th security control item

Vulnerable node with a common structure after investing

And Equation (8) represents the security investment amount in the i-th security control item

A vulnerability node having an OR structure with a child node after investing

(9) is the security investment amount in the i-th security control item

A vulnerable node having an AND structure with a child node after investing

.

The weakened score after each investment can be sorted around the security control item, and the total weakness score iTVV after investment can be derived as shown in Equation 10 below. Total vulnerability score after investment iTVV is a quantitative evaluation of security risk after investment. Using TVV and iTVV, security risk after investment can be compared with pre-investment security risk.

The investment calculation server 170 may calculate the optimal investment amount for each security control item so that the post-investment security risk quantitatively evaluated by the security risk evaluation unit 150 is minimized. For example, the investment calculation unit 170 may calculate the investment amount using the Lagrange multiplier method, which is an optimization technique, to satisfy the lower condition of Equation (11) below.

The investment analysis unit 190 can provide the user with a result of comparing the vulnerability score before and after the investment using the total pre-investment vulnerability score (TVV) and the post-investment total investment vulnerability score (iTVV) By quantitative comparison with strategy, the best investment strategy can be provided (recommended) to users. For example, if the total investment amount is equally invested in all security control items, the total vulnerability score can be calculated and provided to the user (equal investment). Using the Lagrange multiplier described above, the iTVV value is the smallest The total vulnerability score of the user can be calculated and provided to the user (optimal investment). The user can refer to the quantified post-investment security risk provided by the security investment apparatus 100 to the budget use for the security investment, and effectively execute the security investment.

FIG. 6 is a flowchart for explaining a security investment method based on security risk assessment (hereinafter referred to as 'security investment method') according to an embodiment of the present invention.

Referring to FIG. 6, the security investment method according to an embodiment of the present invention includes a configuration step S10, a security risk evaluation step S20, an investment strategy establishment step S30, and an investment effect evaluation step S40 .

In step 10, the server can analyze the cloud service environment and set the items necessary for security risk assessment and investment strategy establishment.

For example, a server can define security threats that can occur per cloud service and can define the detailed attack level of the security threat.

For example, major security threats to cloud services include: Abuse and Nefarious Use of Cloud Computing; Insecure Interfaces and APIs; Malicious Insiders, Shared Technology Issues, Data Loss or leakage, Account or Service Hijacking, Unknown Risk Profile, Distributed Denial of Service Attacks (Distributed Denial of Services), and the types of security threats are not limited by the above examples. Each cloud service may have a different degree of vulnerability to security threats depending on its characteristics, and therefore different levels of importance can be set for each security threat. Accordingly, in step 10, the server can define possible security threats according to the nature of the cloud service and the cloud service provider settings, and define the detailed attack step of the security threat corresponding to the specific cloud service.

)→데이터 접근(

)→데이터 유실(

)의 단계를 포함할 수 있다. 이는 권한 획득 단계에서의 공격, 데이터 접근 시 공격, 최종적인 데이터 유실 단계에서의 공격 중 적어도 하나로 인해 데이터 유실이 발생할 수 있음을 의미한다. 임의의 클라우드 서비스는 데이터 유실의 보안 위협에 있어서, 전술한 세 단계의 세부 공격 단계에 취약점을 가지고 있으므로, 세부 공격 단계는 곧 취약점을 의미하는 것으로 이해될 수 있다. 본 명세서에서 x라는 보안 위협의 y번째 세부 공격 단계 각각은 취약점을 의미하며, 취약점은 표 1에 도시된 바와 같이

로 표기한다. Each security threat can occur through one or more attack steps. For example, in the case of a security threat such as (B) data loss shown in FIG. 2,

) → data access (

) → Data loss (

). ≪ / RTI > This means that data loss can occur due to at least one of attack at the authority acquisition stage, attack at data access, and attack at the final data loss stage. Since any cloud service is vulnerable to the three levels of detailed attack phase in the security threat of data loss, it can be understood that the detailed attack phase is immediately a vulnerability. In the present specification, each of the y-th detailed attack steps of the security threat x means a vulnerability, and the vulnerability is as shown in Table 1

.

In this way, the server can evaluate the security risk more precisely through the process of setting up the security threats and the detailed attack steps according to the characteristics of the cloud service. This improves the low accuracy of the security risk evaluation conventionally considered only for the security threat It is effective.

In step 10 of setting the environment, the server can set security control items of the cloud service. The 'security control item' means a physical method of performing security control, and may be different according to the classification method. For example, the server can classify security control items into categories such as Secure Storage, Secure Processing, Network, Access Control, AuditVerification and Compliance. have.

The server may select one or more security control items capable of responding to the security threats and vulnerabilities described above and match one or more security control items for each vulnerability. Also, in one embodiment of the present invention, it can be understood that the security investment is based on the security control item.

In step 10, the server can define a correlation. Correlation refers to the correlation coefficient indicating the correlation between the preceding stage (child node) and the trailing stage (parent node) when the detailed attack phase is mapped to each node of the tree.

단계의 공격에 성공하면 다음 단계인

단계의 공격에 성공할 확률과

단계의 공격에 성공하면 다음 단계인

단계의 공격에 성공할 확률은 서로 다른 값을 가질 수 있다. 이와 같이 각 단계간의 상관 관계를 나타내는 값을 상관도라고 하며, 상관도는 각 공격의 특성에 따라 달라질 수 있다. For example, a detailed attack progresses step by step. If an attacker succeeds in attack in the first detailed attack phase, he can attack the second phase more easily. As an example, in FIG. 2 (A)

If the attack is successful, the next step

The probability of a successful attack

If the attack is successful, the next step

The probability of a successful attack on a phase can have a different value. The value indicating the correlation between the respective stages is referred to as a correlation degree, and the degree of correlation may vary depending on the characteristics of each attack.

The server can set the correlation and reflect the severity of the sequential attack in the security evaluation. Correlation can be understood as a correlation coefficient defined between a parent vulnerability node (parent attack phase or trailing attack phase) and a child vulnerability node (child attack phase or predecessor attack phase), which depends on the cloud service provider's settings . Also, the degree of correlation may be automatically set by the server according to the result of analysis of the accumulated attack pattern.

In addition, the server may set the security vulnerability mitigation rate in step 10. The 'vulnerability mitigation ratio' means the rate at which the security vulnerability of the vulnerability corresponding to the security control item is relieved when invested in any security control item. More specifically, the security vulnerability mitigation rate may be a constant value of the security vulnerability mitigation function. For example, in the security risk assessment step S20 or the investment strategy establishment step S30, the security vulnerability score may be calculated using the security vulnerability function as shown in Equation 12 below. Constant values corresponding to? And? In Equation 12 can be set for each security control item, which is shown in Table 1 described above.

Since the vulnerability mitigation rate set in step 10 is used for the vulnerability mitigation function, the result of the function affects the mitigated vulnerability score that is calculated.

The vulnerability mitigation rate may vary depending on the nature of the security control item, and may be affected by enterprises and organizations, service characteristics, and cloud computing environment. In addition, the vulnerability mitigation rate can be determined differently depending on the data and statistics accumulated by existing investments.

Next, the server evaluates the security risk (S20), and the security risk evaluation step will be described in more detail with reference to FIG.

Step 100 in FIG. 7 is the same as step 10 described above, so a detailed description is omitted. Step 20 of evaluating the security risk may include steps 200 through 500 of FIG. Referring to FIG. 7, the server sets one or more security threats that may occur in the cloud service and a vulnerability of each security threat according to the cloud service type (S100), and detects duplicate vulnerabilities with respect to the entire one or more security threats An attack tree map can be generated by unifying the nodes into one node (S200).

Next, the server can match the security control items to complement each vulnerability node of the attack tree map (S300). Since the embodiment of steps 200 to 300 has been described above with reference to the example of FIG. 3, a detailed description will be omitted.

The server computes vulnerability scores of each of the vulnerability nodes using the child node structure and correlation of the vulnerability node (S400), adds the vulnerability scores for each security control item, and quantifies the security risk of the cloud service quantitatively (S500).

In step 400, the server calculates a vulnerability score of each vulnerability node using the child node structure and the degree of correlation of the vulnerability node, and the vulnerability score can be derived using the following equations (13) to (15).

For example, if one or more first child nodes of an arbitrary first vulnerability node are mutually independent, the product of the vulnerability score of the first child node and the correlation coefficient of the first child node-vulnerability node, , Which can be expressed by the equation (13) or (14).

In another embodiment, when one or more second child nodes of an arbitrary second vulnerability node are mutually AND conditional relations, the sum of the weak point of the second child node and the correlation coefficient of the second child node-vulnerability node The vulnerability score of the second vulnerability node can be calculated by dividing the vulnerability score of the second vulnerability node by the number of the second child nodes.

의 취약 점수

이며, 수학식 14는 취약점 노드(

)와 자식 노드 간 상호 독립적인 OR 구조를 갖는 경우의 취약점

의 취약 점수

이다. 수학식 15는 취약점 노드(

)와 자식 노드 간 AND 구조를 갖는 경우의 취약점

의 취약 점수

이다.Equation (13) shows the vulnerability in an attack tree map having a general structure

Vulnerability score

(14) is a vulnerability node

) And child nodes have mutually independent OR structure

Vulnerability score

to be. Equation (15) represents the vulnerability node

) And a child node has an AND structure.

Vulnerability score

to be.

를 구할 수 있으며, 이를 모두 합산하여 투자 전의 총 취약점수(TVV)를 산출하여 클라우드 서비스의 보안 위험을 정량적으로 평가한다. 본 발명의 일 실시 예에서, 투자 전의 총 취약점수(TVV)는 클라우드 서비스의 보안 위험을 나타내는 정량적 지표로 이해될 수 있으며, 투자 전의 총 취약 점수(TVV)는 하기 수학식 16과 같이 산출할 수 있다. The server adds the vulnerability scores for each security control item

, And all of them are summed up to calculate the total number of vulnerabilities (TVV) before investment to quantitatively evaluate the security risk of the cloud service. In one embodiment of the present invention, the total number of vulnerabilities (TVV) before investment can be understood as a quantitative index indicating the security risk of the cloud service, and the total vulnerability score (TVV) before investment can be calculated as shown in Equation have.

In another embodiment of the security risk assessment, the server may determine the weight for each security control item according to the cloud service type. In step 500, the server reflects the weight of the security control item to the weak score summed for each security control item, It can be evaluated quantitatively.

When the pre-investment security risk assessment is completed, the server can evaluate the post-investment security risk (S30), and step 30 will be described in more detail with reference to FIG.

8 is a flowchart illustrating an embodiment of a post-investment security risk evaluation for establishing an investment strategy. Referring to FIG. 8, the server calculates a relaxed security vulnerability score using the security vulnerability mitigation function. The mitigated security vulnerability score means the security vulnerability score of each security control item after investment for each security control item. When a security investment is made in a specific security control item, the security control item is strengthened, thereby lowering the security vulnerability. Therefore, it is expected that the vulnerable score will also be lowered.

에 투자 시, 상기 보안 제어 항목

에 대응하는 하나 이상의 투자 취약점의 보안 취약 완화 비율을 결정한 바 있다. 다만, 서버는 다른 실시 예에서 도 8에 도시된 바와 같이 투자 후 보안 위험 평가 단계에서 보안 취약 완화 비율을 결정할 수 있다(S600).In step 30, the server may use the vulnerability mitigation rate set in step 10. [ In the embodiment of step 10 described above, any security control item

, The security control item

Vulnerability mitigation ratios of one or more investment vulnerabilities corresponding to. However, the server may determine the vulnerability mitigation rate in the post-investment security risk assessment step as shown in FIG. 8 in another embodiment (S600).

The server can calculate the weakened vulnerability score of each of the investment vulnerability nodes using the child node structure and correlation of the investment vulnerability node, the investment amount corresponding to the investment, and the vulnerability mitigation ratio of the investment vulnerability (S700) . In addition, the server may sum up the mitigated weak points for each security control item, and quantitatively evaluate the security risk of the cloud service after the investment (S800).

이면, 상기 투자 취약점 노드

의 완화된 취약 점수

를 전술한 수학식 12에 따라 산출할 수 있다. 이 때,

및

는 단계 10 또는 단계 600에서 결정된 보안 취약 완화 비율일 수 있다. For example, the server may determine that the amount of investment

, The investment vulnerability node

Mitigated vulnerability scores

Can be calculated according to Equation (12). At this time,

And

May be the vulnerable mitigation ratio determined in step 10 or step 600. [

More specifically, in step 700, the server can calculate the vulnerability score that is relaxed as follows considering the structure of the vulnerability node and its child nodes.

를 투자한 후의 일반적인 구조를 갖는 취약점 노드

의 취약 점수이며, 수학식 18은 i번째 보안 제어 항목에 보안 투자 금액

를 투자한 후의 자식 노드와 OR 구조를 갖는 취약점 노드

의 취약 점수, 수학식 19는 i번째 보안 제어 항목에 보안 투자 금액

를 투자한 후의 자식 노드와 AND 구조를 갖는 취약점 노드

의 취약 점수를 나타낸 것이다. Equations (17) to (19) are examples of an expression for calculating a relaxed weak score in consideration of the structure. Equation (17) shows that the security investment amount

Vulnerable node with a common structure after investing

And Equation (18) represents the security investment amount in the i-th security control item

A vulnerability node having an OR structure with a child node after investing

, And Equation (19) represents the security investment amount in the i-th security control item

A vulnerable node having an AND structure with a child node after investing

.

The weakened score after each investment can be sorted around the security control item, and the total weakness score iTVV after investment can be derived as shown in Equation 20 below. Total vulnerability score after investment iTVV is a quantitative evaluation of security risk after investment, and server can compare security risk after investment with security risk before investment using TVV and iTVV in step of establishing investment strategy.

Next, in step 40, the server can calculate the optimal investment amount for each security control item so that the post-investment security risk quantitatively evaluated in step 30 is minimized. For example, the investment calculation unit 170 may calculate the investment amount using the Lagrange multiplier method, which is an optimization technique, to satisfy the lower condition of Equation (21) below.

Next, in step 50, the server can provide the user with a result of comparing the weak points before and after the investment using the total weakness score before investment (TVV) and the total weakness score after investment (iTVV) By quantitative comparison with investment strategy, it is possible to provide (recommend) the most excellent investment strategy to users. For example, if the total investment amount is equally invested in all security control items, the total vulnerability score can be calculated and provided to the user (equal investment). Using the Lagrange multiplier described above, the iTVV value is the smallest The total vulnerability score of the user can be calculated and provided to the user (optimal investment). The user can refer to the quantified post-investment security risk provided by the server to the budget use for the security investment and effectively execute the security investment.

The methods described herein may be implemented by one or more computer programs executed by one or more processors. Computer programs include processor-executable instructions stored on a non-transitory type computer readable medium. The computer programs may also include stored data. Non-limiting examples of non-transitory tangible computer readable media are non-volatile memory systems, magnetic storage, and optical storage.

Certain embodiments of the techniques described above include processing steps and instructions described herein in an algorithmic form. The processing steps and instructions described above may be implemented in software, firmware, or hardware, and when implemented in software, may be downloaded to reside on other platforms used in real-time network operating systems And it can be operated from there.

The present invention also relates to an apparatus for performing the operations herein. Such a device may be specially constructed for a desired purpose or may comprise a general purpose computer selectively activated or reconfigured by a computer program stored on a computer readable medium that can be accessed by a computer. Such a computer program may be stored on a computer-readable storage medium of a type, such as, for example, floppy disks, optical disks, CD-ROMs, magneto-optical disks (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits ASICs), or any type of medium suitable for storing electronic instructions and each coupled to a computer system bus, but are not so limited. Moreover, the computers referred to herein may include a single processor, or may be architectures that use multiple processor designs to enhance computing capabilities.

The algorithms and operations presented herein are not inherently related to any particular computer or other devices. Various general purpose systems may also be used with the programs according to the teachings herein or it may prove convenient to construct devices that are more specifically designed to perform the steps of the desired method. The structure required for a variety of these systems, along with their equivalent variants, will be apparent to those skilled in the art. Additionally, the present disclosure is not described in connection with any particular programming language. It should be understood that various programming languages may be used to implement the teachings of the present disclosure as described herein, and that any reference to a particular language is intended to be illustrative of the embodiments and best mode of the present invention.

Some embodiments omitted in this specification are equally applicable if their implementation subject is the same. It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to be exemplary and explanatory only and are not restrictive of the invention, The present invention is not limited to the drawings.

100: security risk assessment based security investment device (server)
110: environment setting unit
130: attack tree map generating unit
140: weight determining unit
150: security risk evaluation section
170: Investment Government
190: Investment Analysis Department

Claims (16)

In a method for a server to perform security investment based security risk assessment in a cloud computing environment,
Setting at least one security threat that may occur in the cloud service and a stepwise vulnerability in each detail attack that causes the security threat according to a cloud service type;
If the vulnerabilities included in the first and second threats are the same, the same vulnerability is unified into one vulnerability node, and a single vulnerability Generating an attack tree map by connecting the first security threat and the second security threat to a node;
Matching a security control item for supplementing the vulnerability with each of the vulnerability nodes of the attack tree map;
The vulnerability node

Child node of

The number of vulnerabilities of the vulnerability node

To

, If they are in a mutual AND relationship

(

The

The number of steps of calculating the number of steps;
Summing the vulnerability scores for each security control item, and quantitatively evaluating a security risk of the cloud service using the sum.
The method according to claim 1,
Further comprising determining a weight for each security control item according to the cloud service type,
Wherein the step of quantitatively evaluating the security risk comprises quantitatively evaluating the security risk by reflecting a weight of the security control item to a weak score summed for each security control item.
The method according to claim 1,
Any security control item

The security control item

Determining a vulnerability mitigation rate of one or more investment vulnerabilities corresponding to the at least one investment vulnerability;
Calculating a relaxed vulnerability score of each of the investment vulnerability nodes using the structure and degree of correlation of the investment node, the investment amount corresponding to the investment, and the vulnerability mitigation rate of the investment vulnerability node;
And adding the mitigated vulnerability score for each security control item and quantitatively evaluating a security risk of the cloud service after the investment using the sum.
The method of claim 3,
The relaxed vulnerability score calculation step
The investment amount

, The investment vulnerability node

Mitigated vulnerability scores

Is calculated by the following equation,

And

Is a predefined constant that is based on security risk assessment.

=

The method of claim 3,
Further comprising calculating an investment amount by the security control item such that a value obtained by quantitatively evaluating the post-investment security risk is minimized.
6. The method of claim 5,
The investment amount calculation step is performed using the Lagrange multiplier method.
The method according to claim 1,
Wherein the step of calculating the vulnerability score of each of the vulnerability nodes comprises:
Wherein when the one or more first child nodes of an arbitrary first vulnerability node are mutually independent, the sum of the weak point of the first child node and the correlation coefficient of the first child node-vulnerability node And calculating a score,
Wherein when the one or more second child nodes of an arbitrary second vulnerability node are mutually AND conditional relations, a value obtained by summing a product of the vulnerability score of the second child node and the correlation coefficient between the second child node and the vulnerability node And calculating the vulnerability score of the second vulnerability node by dividing the vulnerability score by the number of child nodes.
The method according to claim 1,
Wherein the security control item is a security risk assessment based on at least one of Secure Storage, Secure Processing, Network, Access Control, Audit Verification and Compliance, Security investment method.
An environment setting unit configured to set one or more security threats that may occur in the cloud service according to the cloud service type and a stepwise vulnerability in each of the detailed attacks that cause the security threat;
If the vulnerabilities included in the first and second threats are the same, the same vulnerability is unified into one vulnerability node, and a single vulnerability An attack tree map generating unit for generating an attack tree map by connecting the first security threat and the second security threat to a node and matching security control items for supplementing the vulnerability node to each of the vulnerability nodes of the attack tree map;
The vulnerability node

Child node of

The number of vulnerabilities of the vulnerability node

To

, If they are in a mutual AND relationship

(

The

And a security risk evaluation unit that quantitatively evaluates the security risk of the cloud service using the sum of the vulnerability scores for each security control item.
10. The method of claim 9,
Further comprising a weight determining unit for determining a weight for each security control item according to the cloud service type,
The security risk evaluation unit
And the security risk is quantitatively evaluated by reflecting a weight of the security control item to a weak score summed for each security control item.
10. The method of claim 9,
The environment setting unit
Any security control item

, The security control item

Vulnerability mitigation rate of one or more first vulnerabilities corresponding to the first vulnerability,
The security risk evaluation unit
Calculating a vulnerability score of each of the first vulnerability nodes using the structure and degree of correlation of the child node of the first vulnerability node, the investment amount corresponding to the investment, and the vulnerability mitigation ratio of the first vulnerability, A security risk assessment based security risk assessment system that quantifies the security risks after investment of the cloud service by summing the mitigated vulnerability scores for each control item and using the sum.
12. The method of claim 11,
The security risk evaluation unit
The investment amount

, The first vulnerability node

Mitigated vulnerability scores

Is calculated according to the following formula,

And

Is a predetermined constant, based on security risk assessment.

=

12. The method of claim 11,
And an investment amount calculation unit for calculating an investment amount by the security control item such that a value obtained by quantitatively evaluating the post-investment security risk is minimized.
14. The method of claim 13,
The investment calculation unit calculates the investment amount using the Lagrange multiplier method.
10. The method of claim 9,
The security risk evaluation unit
Wherein when the one or more first child nodes of an arbitrary first vulnerability node are mutually independent, the sum of the weak point of the first child node and the correlation coefficient of the first child node-vulnerability node Score,
Wherein when the one or more second child nodes of an arbitrary second vulnerability node are mutually AND conditional relations, a value obtained by summing a product of the vulnerability score of the second child node and the correlation coefficient between the second child node and the vulnerability node And calculating a vulnerability score of the second vulnerability node by dividing the vulnerability score by the number of child nodes.
10. The method of claim 9,
Wherein the security control item is a security risk assessment based on at least one of Secure Storage, Secure Processing, Network, Access Control, Audit Verification and Compliance, Security investment device.

Images