Software System Selection based on First-Order Security Risk Assessment Open Access
Downloadable ContentDownload PDF
Often, multiple software products exist on the same server and vulnerability in one product compromises the entire system. It is imperative then, to perform a security risk assessment when selecting the software products that will become part of a larger system. Having a quantitative security risk assessment model provides an objective criterion for such assessment and comparison between candidate software systems. This research presents a software product evaluation method using such a quantitative security risk assessment model. This method utilizes prior research in quantitative security risk assessment based on empirical data from the National Vulnerability Database (NVD), and compares the security risk levels of the products evaluated. We introduced topic modeling to build a security risk assessment model. The risk model has been created using the Latent Dirichlet Allocation (LDA) algorithm to classify the vulnerabilities into topics, which are then used as the measurement instruments to evaluate the candidate software product. Such a procedure could supplement the existing selection process and assist decision-makers' evaluation of Open Source Software (OSS) systems, to ensure that the software product is safe and secure enough to be put into organization's server environment. Thus, using a design science research methodology, we propose that historic vulnerability data be utilized to develop a quantitative security risk assessment model, to provide a tool to system engineers for comparison and evaluation of OSS systems before their adoption. Finally, the procedure is demonstrated using an experimental case study.