Bayesian Decision Network-Based Security Risk Management Framework

Network security risk management is comprised of several essential processes, namely risk assessment, risk mitigation and risk validation and monitoring, which should be done accurately to maintain the overall security level of a network in an acceptable level. In this paper, an integrated framework for network security risk management is presented which is based on a probabilistic graphical model called Bayesian decision network (BDN). Using BDN, we model the information needed for managing security risks, such as information about vulnerabilities, risk-reducing countermeasures and the effects of implementing them on vulnerabilities, with the minimum need for expert's knowledge. In order to increase the accuracy of the proposed risk assessment process, vulnerabilities exploitation probability and impact of vulnerabilities exploitation on network assets are calculated using inherent, temporal and environmental factors. In the risk mitigation process, a cost-benefit analysis is efficiently done using modified Bayesian inference algorithms even in case of budget limitation. The experimental results show that network security level enhances significantly due to precise assessment and appropriate mitigation of risks.