**2. Related works**

Security risk assessment in enterprise networks has ever remained a major challenge for research communities. Defining security metrics play an important role in risk assessment. The literatures [3–5] define various security metrics. The effectiveness of a risk assessment mechanism relies on the security metric considered during the risk evaluation process.

The primitive risk management mechanisms were qualitative-based which used the System Security Engineering-Capability Maturity Model (SSE-CMM) using attack graphs [6]. However, these works do not evaluate risk quantitatively which can play a major role in identifying several threats. Later, the Common Vulnerability Scoring System (CVSS) [2] was proposed which is used for quantitative risk evaluation. VRSS [7] is another quantitative approach that evaluates risk using varieties of vulnerability rating systems. This uses statistics from different vulnerability databases such as IBM ISS X-Force, Vupen Security, and National Vulnerability database to determine overall risk measure in an organization. However, these works significantly lack accurate evaluation of risk in an enterprise network because of the security metrics considered and the evaluation process.

### *Risk Assessment in IT Infrastructure DOI: http://dx.doi.org/10.5772/intechopen.90907*

provided by the implementation of IT in organizations, open access-control by different levels of users, ubiquitous execution of software modules and control management introduce various security threats. These threats open the door for potential vulnerabilities, environmental interruptions, and inevitable errors leading to different cyber attacks. These attacks can extend to Denial of Service (DoS), code injection, and hidden tunnel, etc. As a result of various attacks, the confidentiality, integrity, availability (CIA) of the critical information is severely compromised. This, in turn, may have a huge impact on organizational assets, business operations,

Researchers have witnessed that as compared to outside threats there are preeminent threats from inside users and entities in organizations [1]. The organizations must understand the importance and responsibilities for protecting critical organizational information, assets, and processes from intelligent attackers. It has become an imperative duty of the organization for assessing the risk associated with the operation and use of different entities in information technology systems. Risk assessment is a key discipline for making effective business decisions by identifying potential managerial and technical problems in IT infrastructure. Then, necessary remediation can be taken by the managers of the organization to minimize or

This chapter presents an efficient risk assessment mechanism that proactively analyzes the risks of IT infrastructure creating strong isolation between different entities. The proposed risk assessment solution determines the threat associated with different entities by analyzing vulnerability and exposure with respect to the Common Vulnerability Scoring System (CVSS) [2]. The overall risk of the IT systems is calculated as the cumulative threat values of different entities. These risk measures, in turn, drive the remediation process for appropriate risk mitigation in the organization strengthening the security perimeter of the organizational

The rest of the chapter is organized as follows. Section 2 presents the related works in risk assessment in IT infrastructure. Section 3 presents the background of the risk assessment of IT infrastructure in organizations. The steps of risk assessment are discussed in Section 4. Section 5 presents our proposed IT risk assessment

Security risk assessment in enterprise networks has ever remained a major challenge for research communities. Defining security metrics play an important role in risk assessment. The literatures [3–5] define various security metrics. The effectiveness of a risk assessment mechanism relies on the security metric

The primitive risk management mechanisms were qualitative-based which used the System Security Engineering-Capability Maturity Model (SSE-CMM) using attack graphs [6]. However, these works do not evaluate risk quantitatively which can play a major role in identifying several threats. Later, the Common Vulnerability Scoring System (CVSS) [2] was proposed which is used for quantitative risk evaluation. VRSS [7] is another quantitative approach that evaluates risk using varieties of vulnerability rating systems. This uses statistics from different vulnerability databases such as IBM ISS X-Force, Vupen Security, and National Vulnerability database to determine overall risk measure in an organization. However, these works significantly lack accurate evaluation of risk in an enterprise network because of the security metrics considered and the evaluation process.

individuals, other stakeholders, and above all the Nation's assets.

*Security and Privacy From a Legal, Ethical, and Technical Perspective*

eliminate the probability and impact of these problems.

framework in detail. Section 6 summarizes the chapter.

considered during the risk evaluation process.

resources.

**94**

**2. Related works**

The work [4] presents a quantitative risk assessment method that determines the threat value from the number of attacks in a specific time interval. Munir et al. [8] proposed another quantitative risk assessment method using the vulnerability scanning tool (Nexpose) to determine the vulnerability values in each node in the network. This method uses the CVSS and the probabilistic approach to determine an overall risk measure of the enterprise network. In another work [9] the risk of the network is analyzed by determining the impact and likelihood of vulnerabilities. It uses WPA2 as the basic cryptographic algorithm.

On the other hand, Guohua [10] presented a risk assessment technique based on AHP (Analytic Hierarchy Process) which quantitatively determines the confidentiality, integrity, and availability of the assets with respect to the individual asset classes. In another work, Munir et al. [11] proposed a risk assessment mechanism based on the classification of different attacks as per their characteristics. This work also implements a method using a rule in Snort NIDPS signature database and OWASP risk rating approach to determine the overall risk of an enterprise network.

In a recent work, Lamichhane et al. [12] presented a quantitative risk assessment approach which computes risk as a function of overall vulnerabilities exploitation along a path and impact of the exploitation. This work implements Topological Vulnerability Analysis (TVA) for modeling and analysis of attack paths using attack graph. Chalvatzis et al. [13] proposed a virtual machine based testing framework for the performance of vulnerability scanners of the enterprise networks. The literature presented a comparative statistics of the vulnerability scanning solutions such as Nessus, OpenVAS, Nmap Scripting Engine with respect to their automation risk assessment process.

However, the state of art works do not accurately determine the risk of the enterprise network considering the risk associated with individual assets, the impact, and criticality of the information flow. In this chapter, we present an efficient risk assessment mechanism in IT infrastructure deployment in industries which addresses the limitations of the existing risk assessment techniques. Our proposed solution ensures a strong security perimeter over the underlying organizational resources by considering the level of vulnerability, threat, and impact at individual assets as well as the criticality of the information flow in the organization.
