Risk Analysis of Layered Solutions
Primary Investigator:
Melissa Dark
John Zage, Robert Wells, Marsella Farnam
Abstract
The composite risk of a system can be measured by determining the composite assurance of the layered solution. There is an inverse relationship between risk and assurance. As risk is reduced, the degree of assurance increases proportionally and vice versa. To measure the composite assurance, we identified relevant attributes corresponding to the assurance strength of an individual application, assessed the impact of interaction between entities and finally calculated an overall composite assurance value. After selecting ten attributes, we created an experimental method to combine these measurements into one relational value. A comparison is made between every layer and another experimental method converts the individual assurance values from each component with their interdependency relational values to other components into an overall assurance value. Lastly, we created a third experimental method to adjust the overall assurance value based on time-deployed and open vulnerabilities.