Razieh Rezaee - Data and Communication Security Lab., Computer Dept., Ferdowsi University of Mashhad, Iran.
Abbas Ghaemi Bafghi - Data and Communication Security Lab., Computer Dept., Ferdowsi University of Mashhad, Iran.

In security risk management of computer networks, some challenges are more serious in large networks. Specifying and estimating risks is largely dependent on the knowledge of security experts. In this paper, a framework for security risk estimation is proposed to address this issue. It represents the security knowledge required for security risk estimation and utilizes current security metrics and vulnerability databases. This framework is a major step towards automating the process of security risk estimation so that a network administrator can estimate the risk of the network with less expertise and effort. As a case study, the proposed framework is applied to a sample network to show its applicability and usability in operational environments. The comparison of results with two existing methods showed the validity of the estimations given by the proposed framework.

Security Threat, analysis model, Computer Networks, Risk Estimation, attack graph, Bayesian network