Document Information
Finding and Fixing Vulnerabilities in Information Systems
The Vulnerability Assessment and Mitigation Methodology
Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge — especially when considering less well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. The authors, understanding the risks posed by new kinds of information security threats, build on previous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/social, and infrastructure elements, and identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure: knowledge, access, target vulnerability, non-retribution, and assessment. In addition, a new automated tool implemented as an Excel spreadsheet is discussed; this tool greatly simplifies using the methodology and emphasizes analysis on cautions, risks, and barriers.
Support RAND Research — Buy This Product!
Paperback Cover Price: $24.00
Discounted Web Price: $21.60
Pages: 143
ISBN/EAN: 0-8330-3434-0
Links to online versions of this document are available below.
Free, downloadable PDF file(s) are available below.
RAND makes an electronic version of this document available for free as a public service. If you find this information valuable, please consider purchasing a paper copy of the full document to help support RAND research.
Use Adobe Acrobat Reader version 7.0 or higher for the best experience.
Contents
Chapter One:
Introduction
Chapter Two:
Concepts and Definitions
Chapter Three:
VAM Methodology and Other DoD Practices in Risk Assessment
Chapter Four:
Vulnerability Attributes of System Objects
Chapter Five:
Direct and Indirect Security Techniques
Chapter Six:
Generating Security Options for Vulnerabilities
Chapter Seven:
Automating and Executing the Methodology: A Spreadsheet Tool
Chapter Eight:
Next Steps and Discussion
Chapter Nine:
Summary and Conclusions
Appendix:
Vulnerability to Mitigation Map Values
The research described in this report was sponsored by the Defense Advanced Research Projects Agency. The research was conducted the RAND National Defense Research Institute, a federally funded research and development center supported by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and the defense agencies.
The monograph/report was a product of the RAND Corporation from 1993 to 2003. RAND monograph/reports presented major research findings that addressed the challenges facing the public and private sectors. They included executive summaries, technical documentation, and synthesis pieces.
Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.
The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.
* RAND research is conducted across divisions, centers, and projects; these organizational components are represented in the "Related RAND Divisions" section above.
Top
RAND® is a registered trademark. Copyright © 1994-2009 RAND Corporation. Last Modified: October 28, 2008 