Loading…
G-RAM framework for software risk assessment and mitigation strategies in organisations
Purpose Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for b...
Saved in:
| Published in: | Journal of enterprise information management 2018-03, Vol.31 (2), p.276-299 |
|---|---|
| Main Authors: | , |
| Format: | Article |
| Language: | English |
| Subjects: | |
| Citations: | Items that this one cites Items that cite this one |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | cdi_FETCH-LOGICAL-c362t-c9a4f919eed092b25b056f35027fe988e289aedc720df72c7b40bae1476b31a03 |
|---|---|
| cites | cdi_FETCH-LOGICAL-c362t-c9a4f919eed092b25b056f35027fe988e289aedc720df72c7b40bae1476b31a03 |
| container_end_page | 299 |
| container_issue | 2 |
| container_start_page | 276 |
| container_title | Journal of enterprise information management |
| container_volume | 31 |
| creator | Biswas, Baidyanath Mukhopadhyay, Arunabha |
| description | Purpose
Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.
Design/methodology/approach
The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.
Findings
Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.
Research limitations/implications
Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.
Practical implications
The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.
Originality/value
Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT secur |
| doi_str_mv | 10.1108/JEIM-05-2017-0069 |
| format | article |
| fullrecord | <record><control><sourceid>proquest_emera</sourceid><recordid>TN_cdi_emerald_primary_10_1108_JEIM-05-2017-0069</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2007926912</sourcerecordid><originalsourceid>FETCH-LOGICAL-c362t-c9a4f919eed092b25b056f35027fe988e289aedc720df72c7b40bae1476b31a03</originalsourceid><addsrcrecordid>eNptkE1LAzEQhoMoWKs_wFvAc3SS_cjmWErVSosgiseQ3Z2UtN1NTVLEf2_XehE8zQvzPjPwEHLN4ZZzqO6eZvMlg4IJ4JIBlOqEjLgsKiZzUKdDzjmDTFXn5CLGNYBQFecj8v7AXiZLaoPp8NOHDbU-0Oht-jQBaXBxQ02MGGOHfaKmb2nnkluZ5HxPYwom4cphpK6nPqxM7-LPKl6SM2u2Ea9-55i83c9ep49s8fwwn04WrMlKkVijTG4VV4gtKFGLooaitFkBQlpUVYWiUgbbRgporRSNrHOoDfJclnXGDWRjcnO8uwv-Y48x6bXfh_7wUgsAqUSpuDi0-LHVBB9jQKt3wXUmfGkOevCnB38aCj3404O_AwNHBjsMZtv-i_xRnn0DY6lyVg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2007926912</pqid></control><display><type>article</type><title>G-RAM framework for software risk assessment and mitigation strategies in organisations</title><source>Library & Information Science Abstracts (LISA)</source><source>ABI/INFORM Global</source><source>Emerald:Jisc Collections:Emerald Subject Collections HE and FE 2024-2026:Emerald Premier (reading list)</source><source>Library & Information Science Collection</source><source>Alma/SFX Local Collection</source><source>ProQuest Social Science Premium Collection</source><creator>Biswas, Baidyanath ; Mukhopadhyay, Arunabha</creator><creatorcontrib>Biswas, Baidyanath ; Mukhopadhyay, Arunabha</creatorcontrib><description>Purpose
Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.
Design/methodology/approach
The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.
Findings
Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.
Research limitations/implications
Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.
Practical implications
The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.
Originality/value
Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.</description><identifier>ISSN: 1741-0398</identifier><identifier>EISSN: 1758-7409</identifier><identifier>DOI: 10.1108/JEIM-05-2017-0069</identifier><language>eng</language><publisher>Bradford: Emerald Publishing Limited</publisher><subject>Autoregressive processes ; Business ; Clustering ; Computer viruses ; Correlation analysis ; Cybersecurity ; Econometrics ; Empirical analysis ; Exploitation ; Growth models ; Information systems ; Information technology ; Literature reviews ; Model accuracy ; Network security ; Optimization ; Parameter estimation ; Risk analysis ; Risk assessment ; Security management ; Software ; Software reliability ; Statistical distributions ; Time dependence ; Variance ; Volatility</subject><ispartof>Journal of enterprise information management, 2018-03, Vol.31 (2), p.276-299</ispartof><rights>Emerald Publishing Limited</rights><rights>Emerald Publishing Limited 2018</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c362t-c9a4f919eed092b25b056f35027fe988e289aedc720df72c7b40bae1476b31a03</citedby><cites>FETCH-LOGICAL-c362t-c9a4f919eed092b25b056f35027fe988e289aedc720df72c7b40bae1476b31a03</cites><orcidid>0000-0002-0609-3530</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.proquest.com/docview/2007926912?pq-origsite=primo$$EHTML$$P50$$Gproquest$$H</linktohtml><link.rule.ids>314,777,781,11669,21362,21375,27286,27905,27906,33592,33887,34116,36041,43714,43873,44344</link.rule.ids></links><search><creatorcontrib>Biswas, Baidyanath</creatorcontrib><creatorcontrib>Mukhopadhyay, Arunabha</creatorcontrib><title>G-RAM framework for software risk assessment and mitigation strategies in organisations</title><title>Journal of enterprise information management</title><description>Purpose
Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.
Design/methodology/approach
The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.
Findings
Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.
Research limitations/implications
Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.
Practical implications
The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.
Originality/value
Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.</description><subject>Autoregressive processes</subject><subject>Business</subject><subject>Clustering</subject><subject>Computer viruses</subject><subject>Correlation analysis</subject><subject>Cybersecurity</subject><subject>Econometrics</subject><subject>Empirical analysis</subject><subject>Exploitation</subject><subject>Growth models</subject><subject>Information systems</subject><subject>Information technology</subject><subject>Literature reviews</subject><subject>Model accuracy</subject><subject>Network security</subject><subject>Optimization</subject><subject>Parameter estimation</subject><subject>Risk analysis</subject><subject>Risk assessment</subject><subject>Security management</subject><subject>Software</subject><subject>Software reliability</subject><subject>Statistical distributions</subject><subject>Time dependence</subject><subject>Variance</subject><subject>Volatility</subject><issn>1741-0398</issn><issn>1758-7409</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><sourceid>ALSLI</sourceid><sourceid>CNYFK</sourceid><sourceid>F2A</sourceid><sourceid>M0C</sourceid><sourceid>M1O</sourceid><recordid>eNptkE1LAzEQhoMoWKs_wFvAc3SS_cjmWErVSosgiseQ3Z2UtN1NTVLEf2_XehE8zQvzPjPwEHLN4ZZzqO6eZvMlg4IJ4JIBlOqEjLgsKiZzUKdDzjmDTFXn5CLGNYBQFecj8v7AXiZLaoPp8NOHDbU-0Oht-jQBaXBxQ02MGGOHfaKmb2nnkluZ5HxPYwom4cphpK6nPqxM7-LPKl6SM2u2Ea9-55i83c9ep49s8fwwn04WrMlKkVijTG4VV4gtKFGLooaitFkBQlpUVYWiUgbbRgporRSNrHOoDfJclnXGDWRjcnO8uwv-Y48x6bXfh_7wUgsAqUSpuDi0-LHVBB9jQKt3wXUmfGkOevCnB38aCj3404O_AwNHBjsMZtv-i_xRnn0DY6lyVg</recordid><startdate>20180305</startdate><enddate>20180305</enddate><creator>Biswas, Baidyanath</creator><creator>Mukhopadhyay, Arunabha</creator><general>Emerald Publishing Limited</general><general>Emerald Group Publishing Limited</general><scope>AAYXX</scope><scope>CITATION</scope><scope>0U~</scope><scope>1-H</scope><scope>7SC</scope><scope>7TA</scope><scope>7WY</scope><scope>7WZ</scope><scope>7XB</scope><scope>8FD</scope><scope>8FE</scope><scope>8FG</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ALSLI</scope><scope>ARAPS</scope><scope>BENPR</scope><scope>BEZIV</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>CNYFK</scope><scope>DWQXO</scope><scope>E3H</scope><scope>F2A</scope><scope>F~G</scope><scope>HCIFZ</scope><scope>JG9</scope><scope>JQ2</scope><scope>K6~</scope><scope>L.-</scope><scope>L.0</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>M0C</scope><scope>M1O</scope><scope>P5Z</scope><scope>P62</scope><scope>PQBIZ</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>Q9U</scope><orcidid>https://orcid.org/0000-0002-0609-3530</orcidid></search><sort><creationdate>20180305</creationdate><title>G-RAM framework for software risk assessment and mitigation strategies in organisations</title><author>Biswas, Baidyanath ; Mukhopadhyay, Arunabha</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c362t-c9a4f919eed092b25b056f35027fe988e289aedc720df72c7b40bae1476b31a03</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Autoregressive processes</topic><topic>Business</topic><topic>Clustering</topic><topic>Computer viruses</topic><topic>Correlation analysis</topic><topic>Cybersecurity</topic><topic>Econometrics</topic><topic>Empirical analysis</topic><topic>Exploitation</topic><topic>Growth models</topic><topic>Information systems</topic><topic>Information technology</topic><topic>Literature reviews</topic><topic>Model accuracy</topic><topic>Network security</topic><topic>Optimization</topic><topic>Parameter estimation</topic><topic>Risk analysis</topic><topic>Risk assessment</topic><topic>Security management</topic><topic>Software</topic><topic>Software reliability</topic><topic>Statistical distributions</topic><topic>Time dependence</topic><topic>Variance</topic><topic>Volatility</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Biswas, Baidyanath</creatorcontrib><creatorcontrib>Mukhopadhyay, Arunabha</creatorcontrib><collection>CrossRef</collection><collection>Global News & ABI/Inform Professional</collection><collection>Trade PRO</collection><collection>Computer and Information Systems Abstracts</collection><collection>Materials Business File</collection><collection>ABI/INFORM Collection</collection><collection>ABI/INFORM Global (PDF only)</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>Technology Research Database</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni)</collection><collection>ProQuest Central</collection><collection>ProQuest Social Science Premium Collection</collection><collection>Advanced Technologies & Aerospace Database (1962 - current)</collection><collection>AUTh Library subscriptions: ProQuest Central</collection><collection>ProQuest Business Premium Collection</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>Library & Information Science Collection</collection><collection>ProQuest Central Korea</collection><collection>Library & Information Sciences Abstracts (LISA)</collection><collection>Library & Information Science Abstracts (LISA)</collection><collection>ABI/INFORM Global (Corporate)</collection><collection>SciTech Premium Collection</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Business Collection</collection><collection>ABI/INFORM Professional Advanced</collection><collection>ABI/INFORM Professional Standard</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>ABI/INFORM Global</collection><collection>Library Science Database</collection><collection>ProQuest advanced technologies & aerospace journals</collection><collection>ProQuest Advanced Technologies & Aerospace Collection</collection><collection>One Business</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central Basic</collection><jtitle>Journal of enterprise information management</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Biswas, Baidyanath</au><au>Mukhopadhyay, Arunabha</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>G-RAM framework for software risk assessment and mitigation strategies in organisations</atitle><jtitle>Journal of enterprise information management</jtitle><date>2018-03-05</date><risdate>2018</risdate><volume>31</volume><issue>2</issue><spage>276</spage><epage>299</epage><pages>276-299</pages><issn>1741-0398</issn><eissn>1758-7409</eissn><abstract>Purpose
Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.
Design/methodology/approach
The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.
Findings
Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.
Research limitations/implications
Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.
Practical implications
The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.
Originality/value
Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.</abstract><cop>Bradford</cop><pub>Emerald Publishing Limited</pub><doi>10.1108/JEIM-05-2017-0069</doi><tpages>24</tpages><orcidid>https://orcid.org/0000-0002-0609-3530</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 1741-0398 |
| ispartof | Journal of enterprise information management, 2018-03, Vol.31 (2), p.276-299 |
| issn | 1741-0398 1758-7409 |
| language | eng |
| recordid | cdi_emerald_primary_10_1108_JEIM-05-2017-0069 |
| source | Library & Information Science Abstracts (LISA); ABI/INFORM Global; Emerald:Jisc Collections:Emerald Subject Collections HE and FE 2024-2026:Emerald Premier (reading list); Library & Information Science Collection; Alma/SFX Local Collection; ProQuest Social Science Premium Collection |
| subjects | Autoregressive processes Business Clustering Computer viruses Correlation analysis Cybersecurity Econometrics Empirical analysis Exploitation Growth models Information systems Information technology Literature reviews Model accuracy Network security Optimization Parameter estimation Risk analysis Risk assessment Security management Software Software reliability Statistical distributions Time dependence Variance Volatility |
| title | G-RAM framework for software risk assessment and mitigation strategies in organisations |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-19T09%3A35%3A56IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_emera&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=G-RAM%20framework%20for%20software%20risk%20assessment%20and%20mitigation%20strategies%20in%20organisations&rft.jtitle=Journal%20of%20enterprise%20information%20management&rft.au=Biswas,%20Baidyanath&rft.date=2018-03-05&rft.volume=31&rft.issue=2&rft.spage=276&rft.epage=299&rft.pages=276-299&rft.issn=1741-0398&rft.eissn=1758-7409&rft_id=info:doi/10.1108/JEIM-05-2017-0069&rft_dat=%3Cproquest_emera%3E2007926912%3C/proquest_emera%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c362t-c9a4f919eed092b25b056f35027fe988e289aedc720df72c7b40bae1476b31a03%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2007926912&rft_id=info:pmid/&rfr_iscdi=true |