{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:28:37Z","timestamp":1750220917088,"version":"3.41.0"},"publisher-location":"Cham","reference-count":31,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319578576"},{"type":"electronic","value":"9783319578583"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-57858-3_4","type":"book-chapter","created":{"date-parts":[[2017,4,24]],"date-time":"2017-04-24T06:59:24Z","timestamp":1493017164000},"page":"37-52","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Quantitative Information Security Risk Estimation Using Probabilistic Attack Graphs"],"prefix":"10.1007","author":[{"given":"Pontus","family":"Johnson","sequence":"first","affiliation":[]},{"given":"Alexandre","family":"Vernotte","sequence":"additional","affiliation":[]},{"given":"Dan","family":"Gorton","sequence":"additional","affiliation":[]},{"given":"Mathias","family":"Ekstedt","sequence":"additional","affiliation":[]},{"given":"Robert","family":"Lagerstr\u00f6m","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,4,25]]},"reference":[{"key":"4_CR1","unstructured":"Alberts, C.J., Dorofee, A.: Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Longman Publishing Co., Inc. (2002)"},{"key":"4_CR2","doi-asserted-by":"crossref","unstructured":"Armin, J., Thompson, B., Ariu, D., Giacinto, G., Roli, F., Kijewski, P.: 2020 cybercrime economic costs: No measure no solution. In 10th International Conference on Availability, Reliability and Security (ARES), pp. 701\u2013710. IEEE (2015)","DOI":"10.1109\/ARES.2015.56"},{"issue":"2","key":"4_CR3","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/BF02592101","volume":"73","author":"BV Cherkassky","year":"1996","unstructured":"Cherkassky, B.V., Goldberg, A.V., Radzik, T.: Shortest paths algorithms: theory and experimental evaluation. Math. Program. 73(2), 129\u2013174 (1996)","journal-title":"Math. Program."},{"key":"4_CR4","doi-asserted-by":"crossref","unstructured":"Chu, M., Ingols, K., Lippmann, R., Webster, S., Boyer, S.: Visualizing attack graphs, reachability, and trust relationships with navigator. In: Proceedings of the 7th International Symposium on Visualization for Cyber Security, pp. 22\u201333. ACM (2010)","DOI":"10.1145\/1850795.1850798"},{"key":"4_CR5","unstructured":"European Commission. Towards a general policy on the fight against cyber crime (2007). http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:52007DC0267 . Accessed 5 March 2017"},{"key":"4_CR6","unstructured":"Cooper, D.: The australian and new zealand standard on risk management, as\/nzs 4360: 2004. Tutorial Notes: Broadleaf Capital International Pty Ltd, pp. 128\u2013151 (2004)"},{"key":"4_CR7","unstructured":"ECB. Recommendations for the security of internet payments (2015). https:\/\/www.ecb.europa.eu\/pub\/pdf\/other\/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf , Accessed 5 March 2017"},{"key":"4_CR8","unstructured":"FFIEC. Supplement to authentication in an internet banking environment (2011). https:\/\/www.fdic.gov\/news\/news\/financial\/2011\/fil11050.pdf . Accessed 5 March 2017"},{"key":"4_CR9","unstructured":"W. E. Forum. Industry agenda. partnering for cyber resilience - towards the quantification of cyber threats, January 2015. http:\/\/www3.weforum.org\/docs\/WEFUSA_QuantificationofCyberThreats_Report2015.pdf . Accessed 5 March 2017"},{"key":"4_CR10","doi-asserted-by":"crossref","unstructured":"Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic Bayesian network. In: Proceedings of the 4th ACM Workshop on Quality of Protection, pp. 23\u201330. ACM (2008)","DOI":"10.1145\/1456362.1456368"},{"key":"4_CR11","doi-asserted-by":"crossref","unstructured":"Goodyear, M., Goerdel, H.T., Portillo, S., Williams, L.: Cybersecurity management in the states: The emerging role of chief information security officers. Available at SSRN 2187412 (2010)","DOI":"10.2139\/ssrn.2187412"},{"issue":"1","key":"4_CR12","doi-asserted-by":"publisher","first-page":"2","DOI":"10.1109\/TDSC.2013.21","volume":"11","author":"H Holm","year":"2014","unstructured":"Holm, H.: A large-scale study of the time required to compromise a computer system. IEEE Trans. Dependable Secure Comput. 11(1), 2\u201315 (2014)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"4_CR13","doi-asserted-by":"crossref","unstructured":"Holm, H., Shahzad, K., Buschle, M., Ekstedt. M.: P cysemol: predictive, probabilistic cyber security modeling language. IEEE Trans. Dependable Secure Comput. 12(6), 626\u2013639 (2015)","DOI":"10.1109\/TDSC.2014.2382574"},{"issue":"4","key":"4_CR14","doi-asserted-by":"publisher","first-page":"561","DOI":"10.3233\/JCS-130475","volume":"21","author":"J Homer","year":"2013","unstructured":"Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S.R., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561\u2013597 (2013)","journal-title":"J. Comput. Secur."},{"key":"4_CR15","unstructured":"Hoo, K.J.S.: How much is enough? A risk management approach to computer security. Stanford University Stanford, Calif (2000)"},{"key":"4_CR16","unstructured":"Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. (2002)"},{"key":"4_CR17","unstructured":"E. ISO. Iec 27005: 2011 (en) information technology-security techniques-information security risk management switzerland. ISO\/IEC (2011)"},{"key":"4_CR18","doi-asserted-by":"crossref","unstructured":"Johnson, P., Vernotte, A., Ekstedt, M., Lagerstr\u00f6m, R.: pwnpr3d: an attack-graph-driven probabilistic threat-modeling approach. In: 11th International Conference on Availability, Reliability and Security (ARES). IEEE (2016)","DOI":"10.1109\/ARES.2016.77"},{"issue":"4","key":"4_CR19","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1109\/32.588541","volume":"23","author":"E Jonsson","year":"1997","unstructured":"Jonsson, E., Olovsson, T.: A quantitative model of the security intrusion process based on attacker behavior. IEEE Trans. Softw. Eng. 23(4), 235\u2013245 (1997)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"4_CR20","unstructured":"Kaspersky. The great bank robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide (2015). http:\/\/usa.kaspersky.com\/about-us\/press-center\/press-releases\/2015\/great-bank-robbery-carbanak-cybergang-steals-1-billion-100-fina . Accessed 5 March 2017"},{"key":"4_CR21","volume-title":"Model-Driven Risk Analysis: The CORAS Approach","author":"MS Lund","year":"2010","unstructured":"Lund, M.S., Solhaug, B., St\u00f8len, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Heidelberg (2010)"},{"key":"4_CR22","unstructured":"Meta object facility (MOF) 2.5 core specification (2015). http:\/\/www.omg.org\/spec\/MOF\/2.5\/"},{"key":"4_CR23","unstructured":"S. NIST. 800\u201330. Risk management guide for information technology systems, pp. 800\u201330 (2002)"},{"key":"4_CR24","doi-asserted-by":"crossref","unstructured":"Noel, S., Elder, M., Jajodia, S., Kalapa, P., O\u2019Hare, S., Prole, K.: Advances in topological vulnerability analysis. In: Conference For Homeland Security, CATCH 2009. Cybersecurity Applications Technology, pp. 124\u2013129, March 2009","DOI":"10.1109\/CATCH.2009.19"},{"issue":"1","key":"4_CR25","first-page":"135","volume":"1","author":"S Noel","year":"2010","unstructured":"Noel, S., Jajodia, S., Wang, L., Singhal, A.: Measuring security risk of networks using attack graphs. Int. J. Next Gener. Comput. 1(1), 135\u2013147 (2010)","journal-title":"Int. J. Next Gener. Comput."},{"issue":"3","key":"4_CR26","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1201\/1086.1065898X\/45390.14.3.20050701\/89149.6","volume":"14","author":"M Nyanchama","year":"2005","unstructured":"Nyanchama, M.: Enterprise vulnerability management and its role in information security management. Inform. Syst. Secur. 14(3), 29\u201356 (2005)","journal-title":"Inform. Syst. Secur."},{"key":"4_CR27","unstructured":"Ponemon Institute. Cost of cyber crime report (2013)"},{"issue":"1","key":"4_CR28","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1109\/TDSC.2011.34","volume":"9","author":"N Poolsappasit","year":"2012","unstructured":"Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61\u201374 (2012)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"issue":"2","key":"4_CR29","doi-asserted-by":"publisher","first-page":"215","DOI":"10.1016\/j.ijinfomgt.2015.11.009","volume":"36","author":"ZA Soomro","year":"2016","unstructured":"Soomro, Z.A., Shah, M.H., Ahmed, J.: Information security management needs more holistic approach: a literature review. Int. J. Inf. Manage. 36(2), 215\u2013225 (2016)","journal-title":"Int. J. Inf. Manage."},{"key":"4_CR30","unstructured":"Verizon. Data breach investigations report (2014)"},{"key":"4_CR31","doi-asserted-by":"crossref","unstructured":"Xie, P., Li, J.H., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: 2010 IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 211\u2013220. IEEE (2010)","DOI":"10.1109\/DSN.2010.5544924"}],"container-title":["Lecture Notes in Computer Science","Risk Assessment and Risk-Driven Quality Assurance"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-57858-3_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:50:40Z","timestamp":1750204240000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-57858-3_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319578576","9783319578583"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-57858-3_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2017]]},"assertion":[{"value":"25 April 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"RISK","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Workshop on Risk Assessment and Risk-driven Testing","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Graz","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Austria","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2016","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 October 2016","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 October 2016","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"risk2016","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.fokus.fraunhofer.de\/de\/events\/risk_2016","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}