Network security risk management is comprised of several essential processes, namely risk assessment, risk mitigation and risk validation and monitoring, which should be done accurately to maintain the overall security level of a network in an acceptable level. In this paper, an integrated framework for network security risk management is presented which is based on a probabilistic graphical model called Bayesian decision network (BDN). Using BDN, we model the information needed for managing security risks, such as information about vulnerabilities, risk-reducing countermeasures and the effects of implementing them on vulnerabilities, with the minimum need for expert’s knowledge. In order to increase the accuracy of the proposed risk assessment process, vulnerabilities exploitation probability and impact of vulnerabilities exploitation on network assets are calculated using inherent, temporal and environmental factors. In the risk mitigation process, a cost-benefit analysis is efficiently done using modified Bayesian inference algorithms even in case of budget limitation. The experimental results show that network security level enhances significantly due to precise assessment and appropriate mitigation of risks.

中文翻译：

---

基于贝叶斯决策网络的安全风险管理框架

网络安全风险管理由几个基本过程组成，即风险评估，风险缓解以及风险验证和监视，应将其正确执行以将网络的总体安全级别维持在可接受的水平。在本文中，提出了一种基于称为贝叶斯决策网络（BDN）的概率图形模型的网络安全风险管理集成框架。使用BDN，我们以最少的专家知识来建模管理安全风险所需的信息，例如有关漏洞的信息，降低风险的对策以及实施这些措施对漏洞的影响。为了提高建议的风险评估流程的准确性，漏洞利用的可能性和漏洞利用对网络资产的影响是使用固有，时间和环境因素计算的。在降低风险的过程中，即使在预算有限的情况下，也可以使用改进的贝叶斯推理算法高效地进行成本效益分析。实验结果表明，由于进行了精确的评估和适当的风险缓解，网络安全级别显着提高。