*5.2.1 Vulnerability of an entity*

Several vulnerable applications, services or protocols such as FTP, RSH, Nmap, etc. may be running in an IT entity for the functioning of business processes. The vulnerability *Ve* of an entity *e* is calculated as the average of the Common Vulnerability Scores (CVS) of all the applications running on the entity extracted from the vulnerability database, that is,

$$V\_e = \frac{1}{10} \ast \frac{\sum\_{i=1}^{k} \text{CVS}\_i}{k} \tag{1}$$

where *CVSi* is the Common Vulnerability Score of the *i*th application or protocol or service running in the entity *e*, and *k* is the number of applications, protocols, and/or services running in the entity. The average value of the CVS of all applications, protocols and/or services is divided by 10 to normalize the value of *Ve* to 1 as the CVS lies between 0 and 10.

### *5.2.2 Exposure of an entity*

The exposure *Ee* of an entity *e* is determined considering the number of entities that may be affected because of the vulnerability in the target entity. Hence, it is computed as,

$$E\_{\epsilon} = \frac{n}{N} \tag{2}$$

where *n* is the number of entities communicating with the target entity and *N* is the total number of entities in the IT systems.

The vulnerability values and threat models guide the risk assessment process for estimating risk levels of the entities in the IT infrastructure.

medium (M) or low (L). The criticality of a business process and information flow depends on the impact of the business process and information flow in a specific application context. For example, in a banking application, transactions have high impact and hence have High importance whereas the generation of logs has medium impact leading to medium importance. On the other hand, simple query processing has a low impact on the context and hence has low importance. So, we consider three different criticality levels; that is, high (H), medium (M) and low (L), respectively for these three types of business process and information flow.

The mapping function for assessing the risk of a specific business process and

**Table 2** shows the risk assessment model of IT infrastructure with respect to the criticality and threat level of the specific business process and information flow in the enterprise network. For example, in a banking application, transactions have high impact and hence have high criticality whereas the generation of logs has medium impact leading to medium criticality. On the other hand, simple query processing has a low impact on the context and hence has low criticality. So, we consider three different criticality levels of the business process and information flow; that is, high (H), medium (M) and low (L), respectively for overall risk assessment. For example, if the criticality of a business process and information flow is high (H) and its threat value is 5.5, then the risk associated with the business process and information flow is high (H). Similarly, individual risk levels are deter-

The calculated risk measures determined by the risk assessment model, are used in decision making and remediation planning for protecting the systems against different potential attacks. This process is executed recursively to eliminate or

mined concerning specific business processes and information flow.

**Criticality of business process and information flow Total threat value**

H MH C M LM H L LL M

minimize the level of risks in the IT infrastructure.

*Note: C, critical; H, high; M, medium; and L, low.*

*Risk assessment model of IT infrastructure.*

**Table 2.**

**103**

*f* : *τ* � *I* ! *R* (4)

**⩽0***:***39 0.4 to 0.69 ≥ 0***:***7**

information flow is expressed as:

**Algorithm 1** *Risk assessment* algorithm

*DOI: http://dx.doi.org/10.5772/intechopen.90907*

1: **procedure** RISK\_ANALYZE 2: Entity set *E*= *e*1,*e*2, … ,*en* 3: **for** each entity *e* ∈ *E* **do**

*Risk Assessment in IT Infrastructure*

6: calculate *τe*=*Ve*\**Ee*

8: calculate *τ*= P *we*\**τ<sup>e</sup>* 9: **end procedure**

4: find *Ve* 5: find *Ee*

7: **end for**

**Figure 3.**

*CVS computation of vulnerabilities from the transformed metrics in case of nonavailability of V3 value in NVD.*

### **5.3 Risk assessment model**

The risk assessment model first evaluates the threat model for different IT entities as discussed in the previous subsection. Then, the overall threat value *τ* is calculated as the cumulative threat values of all the entities in the IT systems involved in the business process flow. Algorithm 1 illustrates the risk assessment procedure to determine the overall threat value *τ*.

Algorithm 1 uses weight *we* for each entity in order to consider the criticality of different entities and should be chosen such that their sum must be equal to 1, that is,

$$
\sum w\_{\epsilon} = 1\tag{3}
$$

In our work, we have used the term *weight* as it is a quantitative term instead of the term *criticality* which is usually a qualitative term.

The overall threat value (*τ*) and its criticality (*I*) of business process and information flow are used to define the overall risk (*R*) of the entities in IT systems. The criticality of the business process and information flow can be high (H),


medium (M) or low (L). The criticality of a business process and information flow depends on the impact of the business process and information flow in a specific application context. For example, in a banking application, transactions have high impact and hence have High importance whereas the generation of logs has medium impact leading to medium importance. On the other hand, simple query processing has a low impact on the context and hence has low importance. So, we consider three different criticality levels; that is, high (H), medium (M) and low (L), respectively for these three types of business process and information flow.

The mapping function for assessing the risk of a specific business process and information flow is expressed as:

$$f: \mathfrak{r} \times I \to \mathbb{R} \tag{4}$$

**Table 2** shows the risk assessment model of IT infrastructure with respect to the criticality and threat level of the specific business process and information flow in the enterprise network. For example, in a banking application, transactions have high impact and hence have high criticality whereas the generation of logs has medium impact leading to medium criticality. On the other hand, simple query processing has a low impact on the context and hence has low criticality. So, we consider three different criticality levels of the business process and information flow; that is, high (H), medium (M) and low (L), respectively for overall risk assessment. For example, if the criticality of a business process and information flow is high (H) and its threat value is 5.5, then the risk associated with the business process and information flow is high (H). Similarly, individual risk levels are determined concerning specific business processes and information flow.

The calculated risk measures determined by the risk assessment model, are used in decision making and remediation planning for protecting the systems against different potential attacks. This process is executed recursively to eliminate or minimize the level of risks in the IT infrastructure.


### **Table 2.** *Risk assessment model of IT infrastructure.*

**5.3 Risk assessment model**

that is,

**102**

**Figure 3.**

*NVD.*

procedure to determine the overall threat value *τ*.

*Security and Privacy From a Legal, Ethical, and Technical Perspective*

the term *criticality* which is usually a qualitative term.

The risk assessment model first evaluates the threat model for different IT entities as discussed in the previous subsection. Then, the overall threat value *τ* is calculated as the cumulative threat values of all the entities in the IT systems involved in the business process flow. Algorithm 1 illustrates the risk assessment

*CVS computation of vulnerabilities from the transformed metrics in case of nonavailability of V3 value in*

Algorithm 1 uses weight *we* for each entity in order to consider the criticality of different entities and should be chosen such that their sum must be equal to 1,

In our work, we have used the term *weight* as it is a quantitative term instead of

The overall threat value (*τ*) and its criticality (*I*) of business process and information flow are used to define the overall risk (*R*) of the entities in IT systems. The criticality of the business process and information flow can be high (H),

<sup>X</sup>*we* <sup>¼</sup> <sup>1</sup> (3)
