Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD Model

TL;DR

This paper introduces a fuzzy logic-based method for threat prioritization in an agile security framework, enhancing risk assessment by handling uncertainty in the DREAD model.

Contribution

It presents a novel fuzzy approach to improve threat risk evaluation within agile security practices using the DREAD model.

Findings

Fuzzy logic improves risk categorization accuracy.

The proposed method handles uncertainty better than traditional DREAD.

Case study demonstrates effectiveness with Matlab simulations.

Abstract

For a qualitative system sound security practices must be a crucial part throughout the entire software lifecycle. Furthermore, agile software development has paved the way for overcoming the problems faced by developers during traditional development process. In the given paper we are using an Agile Security Framework that is compatible with practices of agile processes and inherit in it the benefits of security engineering activities in the form of risk assessment and threat prioritization. One of the most popular techniques to deal with ever growing risks associated with security threats is DREAD model. It is used for rating risk of threats identified in the abuser stories. In this model threats needs to be defined by sharp cutoffs. However, such precise distribution is not suitable for risk categorization as risks are vague in nature and deals with high level of uncertainty. In view of these risk factors, our paper proposes a novel fuzzy approach using DREAD model for computing risk level that ensures better evaluation of imprecise concepts. Thus it provides the capacity to include subjectivity and uncertainty during risk ranking. A case study has been presented to illustrate and compare the proposed approach with the existing one using Matlab.