Date of Award
Doctor of Philosophy (PhD)
Computer security., Computer networks--Risk assessment--Methodology., Fuzzy logic.
Numerous organizations are running businesses around the clock and have interaction with users through computer networks. The substantial issue here is that the organizations may not be able to assure the users that all operations can be performed completely securely while the users are engaged with the system’s operations. On a broader scale, the necessity of security assurance goes beyond business affairs such that lack of system security in organizations and agencies may endanger national security and public safety. All the records, research, and scientific studies show that it is almost impossible to guarantee all services and transactions on a computer system be flawless. Thus, the only way to reduce the possibility of the occurrence of a potential attack from the adversary is to analyze, evaluate, and, measure the vulnerability of the system. Much research has been conducted to find an airtight discipline that solves this issue with an integrated and standard methodology. But the problem is that the expansion of system complexity is almost inevitable, thus organizations put effort to find a way to manage the system complexities to reduce the risks as much as possible to inhibit the adversary. Reducing complexity as much as possible is necessary because with the expansion of computing systems the adversary or a high-profile cyber attack finds a more sophisticated way to subvert the system. Despite all research and studies in this era, the lack of a comprehensive and versatile methodology to measure the vulnerability of a system has been conspicuous. What is common among these studies is that the vulnerability measurement methodology is settled in either a Qualitative or Quantitative category. Most of the studies have been considering the problem in a qualitative context to evaluate the potential vulnerabilities; however, in our research, we will consider it quantitatively. A Quantitative assessment considers the system descriptively to reduce its ambiguity as much as possible. It is usually based on subjective qualities assigned to each security factor. A Quantitative assessment, on the other hand, concerns the numerical characteristics of the system’s security factors, for that measurable data is used to evaluate and consequently calculate the appropriate metrics for potential vulnerabilities. In our research, we mainly focus on the quantitative approach of vulnerability measurement; however, we have to analyze the system first qualitatively to understand all security aspects of the system, then measure the potential vulnerabilities quantitatively. Although our research should apply to all domains, as proof of concept, we apply our quantification methodology to the Department of Transportation (DOT). The DOT is a good first area to study since cybersecurity has not been heavily considered in the DOT heretofore. For the first phase, we define the entire security requirements of the DOT system based on the System Quality Requirements Engineering (SQUARE) model for elicitation and prioritization of security factors and sub-factors. Then we apply Goal Question Metrics (GQM) to construct the appropriate security metrics for the security factors. Through this process, a well-defined and comprehensive questionnaire is designed to be answered by system experts in DOT. This process is based on security standards such as NIST and ISO such that each question has to obey the available measures and pre-defined standards that have been accepted by organizations and agencies. In the next phase, we apply the Fuzzy Logic methodology to measure each metric that we defined in the previous step in order to quantify vulnerabilities. Moreover, in order to have a more precise result of quantification, we apply the Analytic Hierarchy Process (AHP) methodology in two preliminary studies for security factor and sub-factor prioritization based on their weight and importance in DOT. Since AHP is a very subjective method, our research group decided that it cannot be very reliable in our research and we proceed to the final study without AHP. All in all, we applied Multi-layered Fuzzy Logic to quantify vulnerabilities in DOT.
Shojaeshafiei, Mohammad, "A measurable cybersecurity quality framework and its application to the Department of Transportation" (2020). Dissertations. 201.