Security risk metrics: fusing enterprise objectives and vulnerabilities

Abstract

Automated scanners are unable to generate the information required to properly assess a network's risk. Although scanners may identify high risk exposures, they fail to determine how those exposures affect an organization's objectives. Such an assessment requires an auditor to identify the objectives and their relationship to network hosts. Mission trees allow security auditors to map relationships between an organization's objectives and its assets. Synthesizing this data with a vulnerability scanner lends itself to creating meaningful enterprise security metrics.