Date of Award

2020

Degree Type

Restricted to Claremont Colleges Dissertation

Degree Name

Information Systems and Technology, PhD

Program

Center for Information Systems and Technology

Advisor/Supervisor/Committee Chair

Tamir Bechor

Dissertation or Thesis Committee Member

Yan Li

Dissertation or Thesis Committee Member

Zachary Dodds

Dissertation or Thesis Committee Member

Allen Ohanian

Terms of Use & License Information

Terms of Use for work posted in Scholarship@Claremont.

Rights Information

© 2020 Bill Jung

Keywords

common vulnerability scoring system, cybersecurity, data science, risk management, vulnerability management

Subject Categories

Computer Sciences

Abstract

To mitigate known vulnerabilities in cybersecurity, organizations are in a desperate need for critical information, such as exploit code maturity, confidence about exploits, remediation capability, and own environmental contexts. Threats need to be contextualized so that they become visible risks for remedial actions. Extant efforts need significant improvements to prevent malicious actors from exploiting exposed risks. Rigorously founded on theories, but pragmatic research is crucial for better vulnerability management efforts. The NVD (National Vulnerability Database) Data Feeds, considered the de-facto data source in the cybersecurity domain, does not unfortunately provide a complete set of vulnerability information needed by organizations. Then, organizations need to rely on cybersecurity experts and vendors to obtain the missing pieces of information. Also, it is cumbersome and often time-consuming to collect relevant information about risks and put needed knowledge all together at one place. Using the heuristics-based rules and prioritized-risks visualization, this research takes on the challenge of transforming vulnerabilities into context-aware, visible risks that organizations can handle and mitigate. First, to derive the three constituent Metric Values of CVSS Temporal Scores which are factored into calculating Temporal and Environment Scores -- Exploit Code Maturity, Remediation Level, and Report Confidence --, this study developed heuristics-based rules data-driven by analyzing NVD datasets. Then, to guide cybersecurity analysts to analyze and prioritize threats, the most appropriate visualization tool for a context was selected based on a conceptual road-map. Subsequently, vulnerabilities of IT assets of research sites were contextualized, and their CVEs (Common Vulnerabilities and Exposures) were collected. After downloading pertinent data from NVD Data Feeds, it was data-matched with the contextualized risks. Then, based on the three Temporal Metric Values derived, CVSS Temporal and Environmental Scores were calculated using data science tools. Then, Overall CVSS Scores were determined, and afterwards, the contextualized risks were sorted based on the following severity rankings: critical, high, medium, and low. The visualization tool imported data with the contextualized risks, and it was furthered refined before sending to the cybersecurity analysts. Then, the cybersecurity analysts analyzed insight on the visualization and provided feedback and evaluation to the researcher. Subsequently, the evaluation data was analyzed, and findings were reported. In terms of significant findings, via the two case studies conducted, the research sought to meet the following objectives: asking expert opinions – they were vulnerability analysts – and evaluating the research model and visualization. Regarding the first objective of asking expert opinions, the research asked two significant questions: 1. What are strengths and weaknesses of the model and visualization – or ‘the tool’ – in their opinions? 2. Overall, is the tool an improvement over the current tool they are using? For the second objective – evaluating the model and visualization, it embedded the two vital questions: 1. Were the improved scores with the Temporal, Environmental, Overall Scores more accurate than the Base Score alone in assessing risks? 2 Was the visualization effective in prioritizing threats and guiding remediation effort at the organization? After the conclusion of the case studies, the research found meeting the objectives based on the following significant findings: Positive findings: - [Provision of] Temporal Scores - [Provision of] Overall Scores - Addition of Temporal, Environmental, and Overall Scores - Improvements over current tool - Prioritization of threats - Link to the latest vulnerability information Negative and unexpected findings: - Elusive validity of the heuristics-based rules - Different way to derive the Environmental Scores - Extending the participant’s idea of deriving the Environmental Scores at each asset - Insiders’ knowledge - Tool's limitation Through this doctoral thesis, the research's aim is to transform vulnerabilities into contextual, accurate risks. Then, the research is to visualize the risks for decision makers to take remedial actions to the exposed risks. The main contributions of the research are twofold: better prioritization of risks and improving the vulnerability scoring method. Regarding its practical contributions, they are as follows: supplementing vulnerability scanning results, suggesting an end-to-end solution to manage risks, and suggesting how to derive the Temporal Metric Scores to assess risks more accurately. Finally, the research makes the following contributions to the scholarly literature: application of the data analytics theories to the practice-oriented discipline (cybersecurity), transforming vulnerabilities into context-aware risks, integration of the three areas of vulnerability management studied separately, making exposed risks more visible, and contribution to the body of knowledge in the cybersecurity domain.

ISBN

9798645446536

Download

Share

COinS